Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A new search field no longer shows in Interesting Fields to be selected

Splunk2016
Path Finder
‎04-09-2015 01:46 PM

I would appreciate any comments:

1) Added "Total" as one of my Selected Fields from the following search (this worked fine):

host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")")

2) Then I changed "Total" to "GrandTotal" and forgot to remove the previous "Total" from Selected Fields

host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as GrandTotal | eval GrandTotal=if(GrandTotal>0,"$".tostring(GrandTotal,"commas"),"($".tostring(GrandTotal*-1,"commas").")")

3) I then unchecked all Selected Fields
4) How do I get GrandTotal to appear in Interesting Fields? It no longer displays as an interesting new field. I tried changing back to Total and it no longer displays it under Interesting fields either.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-09-2015 02:11 PM

Interesting fields are fields that have values in over 20% of the events that are returned from your search. The amount of fields you see in interesting fields can also depend on your search mode (fast mode does not perform field discovery). If you go to "All Fields", you can then search for your field or change the threshold. From there, you can also make the field selected, even if it isn't considered an "interesting" field.

alt text

View solution in original post

Preview file
59 KB
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-09-2015 02:11 PM

Interesting fields are fields that have values in over 20% of the events that are returned from your search. The amount of fields you see in interesting fields can also depend on your search mode (fast mode does not perform field discovery). If you go to "All Fields", you can then search for your field or change the threshold. From there, you can also make the field selected, even if it isn't considered an "interesting" field.

alt text

Preview file
59 KB
Reply
Solved! Jump to solution

Splunk2016
Path Finder
‎04-09-2015 02:35 PM

"All Fields" do not show the "GrandTotal" . Coverage option is 100%. if fast mode does not perform field discovery
why did "Total" showed before but it no longer shows up under interesting fields? There are over 8,000 events returned from the search. Perhaps something got changed and I need to reset my splunk environment. Thanks!

I think I see my issue. Coverage option should be changed to "All Fields". Now I can see "GrandTotal"! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...