Fields disappear in search app?

smileyge · ‎05-27-2014

I am running a search with just over a million rows on a particular index with maybe 15 fields per event. Once it gets past about 100,000 events, the field list on the left disappears. The fields I had previously selected on a smaller search still appear in the event window and the fields are all in the results if I use the table command. I tried another index with 5 million rows and ~10 fields and the UI works fine. Any ideas? Could I be hitting some sort of limit in the limits.conf? I'm not getting any warnings or anything, it just doesn't show me the fields. I'm running in verbose mode splunk 6.1.1.

Thanks for any insight

lguinn2 · ‎05-27-2014

It depends on the search. By default, a field only appears in the "Interesting" list when it occurs in 50% of the events that are retrieved by the search. If you click on the "All Fields" link, you should still be able to see the fields. You can search for field names or set threshholds as well.

smileyge · ‎06-02-2014

The trouble here is the fields, the entire piece on the left, disappears. I adjusted some of the limits in limits.conf and was able to get it to go up to 1,000,000 events, but after that it still disappears. Interestingly, shrinking the chunk size seems to increase the number of events before it goes away. As the search is running, the fields on the left work fine, but once it reaches a million rows they go away

ejenson_splunk · ‎05-11-2016

I see this issue with large JSON events in version 6.4.0. This could simply be a limit reached but not sure which limit. What limits.conf adjustments were made? My core fields of host, sourcetype and source all disappear and not displayed even when clicking the show all fields option.

Fields disappear in search app?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!