Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Certain extracted fields not showing in Fields Sidebar on one SH, but is on another SH.

ezmo1982
Path Finder
‎12-04-2020 04:28 AM

Hello,

I have a problem where fields are not showing on the Field Sidebar when i run a search against certain indexes/sourcetypes. I have two Search Heads. When I run the same search on both SH's, the fields displayed on Field Sidebar are different. I have ensured that Verbose mode is selected and that I am selecting "All Fields" in the Field selector popup. The search returns the same count of events and I can confirm the fields are being extracted. Field Extraction was performed months ago.

The search term is index="mimecast" sourcetype="mimecastsiemst" mcType=email_ttp_url.

If I run this search one SH,  the "recipient" field is displayed, as an example. But if I run the search on the other SH, it is not displayed. I have also noticed that if I exclude sourcetype="mimecastsiemst"  from the search on the SH that is displaying this field, and rerun the search - the field is no longer displayed on the Field Sidebar. There are other fields that act in the same way.

Can someone please provide help on why this is happening and how I can have searches from both SHs to return all the extracted fields.

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2020 06:41 AM

The S&R app is guaranteed to be on all instances.  More important, however, are the optional apps and add-ons that perform field extractions.  Please go to the Manage Apps page and very each SH has the same list of installed apps.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2020 05:42 AM

Do both SHs have the same apps installed and are they enabled in both places?  Are searches being run in the same app in both places?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ezmo1982
Path Finder
‎12-04-2020 05:53 AM

Yes the searches are both being run from the Search and Reporting app, which is installed on both SH's. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2020 06:41 AM

The S&R app is guaranteed to be on all instances.  More important, however, are the optional apps and add-ons that perform field extractions.  Please go to the Manage Apps page and very each SH has the same list of installed apps.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ezmo1982
Path Finder
‎12-08-2020 12:48 AM

Yes looks like this was a problem with the Add-On. When I updated the Add-on on both SH's to the same  version the field extraction is now consistent on both when searching.

Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...