Splunk Search

Certain extracted fields not showing in Fields Sidebar on one SH, but is on another SH.

ezmo1982
Path Finder

Hello,

I have a problem where fields are not showing on the Field Sidebar when i run a search against certain indexes/sourcetypes. I have two Search Heads. When I run the same search on both SH's, the fields displayed on Field Sidebar are different. I have ensured that Verbose mode is selected and that I am selecting "All Fields" in the Field selector popup. The search returns the same count of events and I can confirm the fields are being extracted. Field Extraction was performed months ago.

The search term is index="mimecast" sourcetype="mimecastsiemst" mcType=email_ttp_url.

If I run this search one SH,  the "recipient" field is displayed, as an example. But if I run the search on the other SH, it is not displayed. I have also noticed that if I exclude sourcetype="mimecastsiemst"  from the search on the SH that is displaying this field, and rerun the search - the field is no longer displayed on the Field Sidebar. There are other fields that act in the same way.

Can someone please provide help on why this is happening and how I can have searches from both SHs to return all the extracted fields.

Thanks!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The S&R app is guaranteed to be on all instances.  More important, however, are the optional apps and add-ons that perform field extractions.  Please go to the Manage Apps page and very each SH has the same list of installed apps.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Do both SHs have the same apps installed and are they enabled in both places?  Are searches being run in the same app in both places?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ezmo1982
Path Finder

Yes the searches are both being run from the Search and Reporting app, which is installed on both SH's. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The S&R app is guaranteed to be on all instances.  More important, however, are the optional apps and add-ons that perform field extractions.  Please go to the Manage Apps page and very each SH has the same list of installed apps.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

ezmo1982
Path Finder

Yes looks like this was a problem with the Add-On. When I updated the Add-on on both SH's to the same  version the field extraction is now consistent on both when searching.

Thanks for the help.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!