Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field categorization

KarunK
Contributor
‎04-07-2013 07:30 PM

Hi All,

A quick question reagrding the symbols "#" and "a" (alpha I believe), on the left hand side of a filed name in "selected fields" and "interesting fields".

How is this categorized ? Is it based on the field type alphanumeric and numeric. But this is not consistent ?

Any idea ?

Thanks

Regards

KK

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmr195
Communicator
‎04-11-2013 07:36 AM

It would appear that fields are considered numeric if more than half of the field values are numeric.

The bit of code that decides is in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/field_summary.js:

    // treat as numeric if HALF or more of the occurences are considered numeric
    var isNumeric = (parseInt(fieldNode.attr("nc"), 10) > this.eventCount/2);

If you want to see what proportion of field values are numeric for your search, click the "i" button to display the search job inspector, then scroll right to the bottom of it and click the "field_summary" link. In the field summary, you'll see lines similar to:

  <field k="date_hour" c="86275" nc="86275" dc="24" exact="1" relevant="0">

The "c" attribute is telling you the total count and the "nc" field is telling you the numeric count, so if nc>c/2 then the field will be considered numeric.

View solution in original post

Reply
Solved! Jump to solution
Solution

dmr195
Communicator
‎04-11-2013 07:36 AM

It would appear that fields are considered numeric if more than half of the field values are numeric.

The bit of code that decides is in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/field_summary.js:

    // treat as numeric if HALF or more of the occurences are considered numeric
    var isNumeric = (parseInt(fieldNode.attr("nc"), 10) > this.eventCount/2);

If you want to see what proportion of field values are numeric for your search, click the "i" button to display the search job inspector, then scroll right to the bottom of it and click the "field_summary" link. In the field summary, you'll see lines similar to:

  <field k="date_hour" c="86275" nc="86275" dc="24" exact="1" relevant="0">

The "c" attribute is telling you the total count and the "nc" field is telling you the numeric count, so if nc>c/2 then the field will be considered numeric.

Reply
Solved! Jump to solution

koshyk
Super Champion
‎06-09-2015 02:03 AM

superb concise answer.

0 Karma
Reply
Solved! Jump to solution

KarunK
Contributor
‎04-23-2013 11:54 PM

Thanks for that. really helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...