Splunk Search

Fields disappear in search app?

smileyge
Path Finder

I am running a search with just over a million rows on a particular index with maybe 15 fields per event. Once it gets past about 100,000 events, the field list on the left disappears. The fields I had previously selected on a smaller search still appear in the event window and the fields are all in the results if I use the table command. I tried another index with 5 million rows and ~10 fields and the UI works fine. Any ideas? Could I be hitting some sort of limit in the limits.conf? I'm not getting any warnings or anything, it just doesn't show me the fields. I'm running in verbose mode splunk 6.1.1.

Thanks for any insight

Tags (2)
0 Karma

lguinn2
Legend

It depends on the search. By default, a field only appears in the "Interesting" list when it occurs in 50% of the events that are retrieved by the search. If you click on the "All Fields" link, you should still be able to see the fields. You can search for field names or set threshholds as well.

0 Karma

smileyge
Path Finder

The trouble here is the fields, the entire piece on the left, disappears. I adjusted some of the limits in limits.conf and was able to get it to go up to 1,000,000 events, but after that it still disappears. Interestingly, shrinking the chunk size seems to increase the number of events before it goes away. As the search is running, the fields on the left work fine, but once it reaches a million rows they go away

0 Karma

ejenson_splunk
Splunk Employee
Splunk Employee

I see this issue with large JSON events in version 6.4.0. This could simply be a limit reached but not sure which limit. What limits.conf adjustments were made? My core fields of host, sourcetype and source all disappear and not displayed even when clicking the show all fields option.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...