Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the Splunk field summary not show 100 percent for a certain field?

lohitkidu
Path Finder
‎02-09-2016 05:52 AM

Hi All,

One of my fields summary in Splunk field bar is not showing 100 percent, even though I have that field in all events. This field is under selected fields as well.

When I specifically make this field in a search or click on "Events with this field", then only I get 100 percent values

Why it is not 100 percent in the first case?

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎05-04-2017 11:40 AM

1) Are you saying that the exact name of the field is summary? It could be that you are running into problems due to naming a field with a commonly reserved word.

2) use earliest="04/25/2017:23:00:00" latest="04/27/2017:01:00:00" (or any such values) and narrow the time range of the search until you get a dozen records or so, where less than 100% are detected as having the field. Then you can look at individual records and see if the field is present and if there is a pattern.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-09-2016 10:24 AM

It could be that the fields is not extracted/recognized by Splunk for some events. Try to run this query to find out events where Splunk is not able to recognize it and verify the raw data.

your base search Yourfield!=*
0 Karma
Reply

lohitkidu
Path Finder
‎02-09-2016 06:44 PM

Hi Somesoni2,

I have already that and it gives me no results which means all my events have that field. I have already mentioned that in my question.

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎02-09-2016 10:16 AM

Without knowing how your data looks like, etc it's hard to say but if I were you I would try to identify those events where the field is not present. You can do this by using the following syntax:

index=yourindex sourcetype=yoursourcetype NOT fieldname=*
0 Karma
Reply

lohitkidu
Path Finder
‎02-09-2016 06:52 PM

I have already tried the query above and it gives me no events which means the field is present in all of my events.

Field 'subtype' has 6 values, 6.442% events. But that field is present is all my events. I confirm this if i click on Events with this field and it gives me same number of events. It look like below

subtype

Selected Yes No
6 Values, 7.563% of events

Reports
Top values Top values by time Rare values
Events with this field

0 Karma
Reply

the_wolverine
Champion
‎05-04-2017 10:29 AM

I've got the same question. There's a field that should be 100% but Splunk is reporting some extremely low percentage. Something else is going on that is not evident -- maybe the percentage means something else. If so, no idea. Filed a support case for answers.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎05-04-2017 11:25 AM

Which mode are you running the search in, fast or smart? This field, should it be auto extracted or there is a custom field extraction setup for it?

0 Karma
Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...