Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Few fields not visible when check on the all feilds section but i can see them when i table them with the names.

HarishSamudrala
Loves-to-Learn
‎03-21-2024 02:21 PM

I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields.

But, when i run the same query and table those fields , i can see them. 

index=1234 sourcetype=4567 --> can not see those fields when this search is triggered. But when i add a table command with those field names in the search i can see the fields and the values for them.

 

index=1234 sourcetype=4567 | table field1, field2 --> this query i can see the fields.

 

Did any one face this issue ? We are on latest Splunk version 9.0.X..

 

 

Labels (1)
Labels
0 Karma
Reply

HarishSamudrala
Loves-to-Learn
‎03-22-2024 09:38 AM

Hi @richgalloway ,

Thanks for you inputs on this. 

We are running the search in verbose mode only, but this did no help us. The event we are dealing with is very big and we are thinking if Splunk is hitting any limitation in showing up all the fields in the left side panel selected fields and interested fields.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-22-2024 09:45 AM

How big are the events?  Splunk default to 200 field extractions, IIRC.  Also, what type of data is it?  I've seen problems extracting JSON data, especially nested JSON.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-22-2024 10:02 AM

Hi

This could be the reason. Just hunting this kind of issues and still working with it.

You should look limits.conf and it's kv-stanza. Also check what you have on your sourcetype (and/or host and source) definition's TRUNCATE value. Both of those are affecting how many fields splunk automatically found.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2024 10:37 PM

Hi @HarishSamudrala ,

in addition to the hint of @richgalloway , remember that in interesting fields you see only the fields present in at least 20% of the events, probably these fields have a minor percentage.

Instead running a search with these fields (e.g. field1=*), they are present at the 100% of the events.

If you open the "All fields" panel, you can see fields present (by default) in more than 1% of the events and you can use also a filter to have all the fields without a threshold

Ciao.

Giuseppe

0 Karma
Reply

HarishSamudrala
Loves-to-Learn
‎03-22-2024 09:41 AM

hi @gcusello ,

Thanks for your inputs on this. 

Yeah , we have validated that "All fields" are selected in the fields drop down.  We are running the search in verbose mode.

But, nothing helped...out event is very big and i am thinking if there is any limitation Splunk is hitting in showing up the fields. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-21-2024 04:06 PM

Make sure you're running the search in Verbose mode.  In Smart mode, Splunk only extracts fields explicitly referenced in the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...