Re: Stash logs

sara · ‎03-25-2026

we are unable to create further detections in ES because some key fields are missing in the stash logs. After reviewing the source logs, I found that the entity fields are marked as unknown.

We have been informed that these are internal logs, so raising a support case is not an option.

How can we identify the root cause of the missing data and determine why these fields are not being populated?

livehybrid · ‎03-25-2026

Hi @sara

Can you provide an exampe of the events which are missing fields?

Splunk Support will still usually assist where they can with issues like this if the data is being generated by your Splunk deployment, if the events missing fields are coming from outside of Splunk then I imagine we wont be able to help too much but if its generated within Splunk then support should help.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

PickleRick · ‎03-25-2026

What stash logs? What source logs?

Are you trying to run your detections on some summarized data?

What internal logs are you talking about?

Stash logs

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation