Solved: Field that exist is not showing in search report

trevor7 · ‎07-31-2024

Hello all,

I have a query which creates a table similar to the following:

| table S42DSN_0001 S42DSN_0010

The table populates data within the S42DSN_0001 column, but not the S42DSN_0010 column. I've double checked that there is definitely data captured within that field by looking at the events.

There are 20 similarly named fields using the format S42DSN_00## which are found within the raw event data. Only the first 8 return results using the above query.

For example the following works fine:

| table S42DSN_0001 S42DSN_0002

Any thoughts on why this might be happening? I am wondering if events past iteration S42DSN_0008 are not considered interesting, so Splunk is leaving them out of the results? Oddly enough, if I change my time period to the past 30 days, and use S42DSN_0010=* as a search criteria, I receive some, but not all results within that column.

Thanks in advance,

Trevor

gcusello · ‎08-01-2024

Hi @trevor7 ,

in interesting fields there are only fields present at least in the 20% of the displayed events, to see the others go in "Other fields".

you can force Splunk to display them, adding to your search (only for test) the condition S42DSN_0010=*, select this field as Selected and then remove the above additional condition.

In this way you should see this field in your list.

About the not displayed using the table command is another issue that I cannot check without accessing your data, do you see them in interesting fields?

The only check I hint is on the field name, that's case sensitive.

Then selecting the above field, you should see the value of this field for each event so you can be sure that there's a value for this field; maybe you have few rows with this field and you are seeing only the ones without it.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-01-2024

Hi @trevor7 ,

in interesting fields there are only fields present at least in the 20% of the displayed events, to see the others go in "Other fields".

you can force Splunk to display them, adding to your search (only for test) the condition S42DSN_0010=*, select this field as Selected and then remove the above additional condition.

In this way you should see this field in your list.

About the not displayed using the table command is another issue that I cannot check without accessing your data, do you see them in interesting fields?

The only check I hint is on the field name, that's case sensitive.

Then selecting the above field, you should see the value of this field for each event so you can be sure that there's a value for this field; maybe you have few rows with this field and you are seeing only the ones without it.

Ciao.

Giuseppe

gcusello · ‎08-01-2024

Hi @trevor7 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

PickleRick · ‎07-31-2024

We have no idea what your events look like and what is your configuration so we can't know how and why the fields are (not) extracted.

Most probably your sourcetype is misconfigured and doesn't extract the fields or the extractions aren't configured at all and Splunk relies on its automatic extractions which your events might not completely fit into.

Field that exist is not showing in search report

other

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?