Splunk Search

Field shows up under interesting fields but when you click any of the values, there are no results

jordanking1992
Path Finder

We have data indexed in Splunk that has a field called pod. In the screenshots, you can see that pod has a list of values (and counts). However, when you select any of the values no results are returned. Someone mentioned that i should create an entry in fields.conf but i would like to know what Splunk is doing with this field. Any solutions are appreciated.

alt text

0 Karma

woodcock
Esteemed Legend

You have to tell the Search Head that these fields are not indexed fields by adding this to fields.conf:

[pod]
INDEXED_VALUE = false

See details here:
https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html

jordanking1992
Path Finder

So it interesting because this now lets me see the values but the count before clicking the value versus after clicking the value is WAY different. For instance, Splunk says the count is 286, 000 but when i click it it only shows 12 (for the exact same time range) ??

0 Karma

woodcock
Esteemed Legend

Are you searching in verbose mode? If so, then I would open a support case.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...