Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field categorization

KarunK
Contributor
‎04-07-2013 07:30 PM

Hi All,

A quick question reagrding the symbols "#" and "a" (alpha I believe), on the left hand side of a filed name in "selected fields" and "interesting fields".

How is this categorized ? Is it based on the field type alphanumeric and numeric. But this is not consistent ?

Any idea ?

Thanks

Regards

KK

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmr195
Communicator
‎04-11-2013 07:36 AM

It would appear that fields are considered numeric if more than half of the field values are numeric.

The bit of code that decides is in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/field_summary.js:

    // treat as numeric if HALF or more of the occurences are considered numeric
    var isNumeric = (parseInt(fieldNode.attr("nc"), 10) > this.eventCount/2);

If you want to see what proportion of field values are numeric for your search, click the "i" button to display the search job inspector, then scroll right to the bottom of it and click the "field_summary" link. In the field summary, you'll see lines similar to:

  <field k="date_hour" c="86275" nc="86275" dc="24" exact="1" relevant="0">

The "c" attribute is telling you the total count and the "nc" field is telling you the numeric count, so if nc>c/2 then the field will be considered numeric.

View solution in original post

Reply
Solved! Jump to solution
Solution

dmr195
Communicator
‎04-11-2013 07:36 AM

It would appear that fields are considered numeric if more than half of the field values are numeric.

The bit of code that decides is in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/field_summary.js:

    // treat as numeric if HALF or more of the occurences are considered numeric
    var isNumeric = (parseInt(fieldNode.attr("nc"), 10) > this.eventCount/2);

If you want to see what proportion of field values are numeric for your search, click the "i" button to display the search job inspector, then scroll right to the bottom of it and click the "field_summary" link. In the field summary, you'll see lines similar to:

  <field k="date_hour" c="86275" nc="86275" dc="24" exact="1" relevant="0">

The "c" attribute is telling you the total count and the "nc" field is telling you the numeric count, so if nc>c/2 then the field will be considered numeric.

Reply
Solved! Jump to solution

koshyk
Super Champion
‎06-09-2015 02:03 AM

superb concise answer.

0 Karma
Reply
Solved! Jump to solution

KarunK
Contributor
‎04-23-2013 11:54 PM

Thanks for that. really helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...