Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to check missing fields and not generating 100 percentage

sasankganta
Path Finder
‎01-04-2021 03:55 AM

index="*" sourcetype="*" and I have field name with tag and it's generating 80% of events , how can I check why it's not generating 100% of events and where it's missing. 

Also , Is there any regex / resi api / rex query to get what are all the fields generating 100% events , and if it's <100% whe

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:17 AM

You don't need git.  Just download the app from github and install it on Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sasankganta
Path Finder
‎01-15-2021 07:27 AM

Also one more, Index=A sourcetype=B and I can see under fields category filed "C" with count of 10k+ values ..

But if I search with  Index=A sourcetype=B category=C , It is showing No results found tried in all the search modes didn't worked. source tcp:9997 . Can you please suggest what can be the issue. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:49 AM

I don't have an answer.  Sorry.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sasankganta
Path Finder
‎01-15-2021 06:39 AM

Thank you Mate for the documents. Yes for CIM validation, but don't have git in environment let me check possible ways. If you have any other suggestions will be grateful . 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:17 AM

You don't need git.  Just download the app from github and install it on Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2021 07:57 AM

It's normal for a field to be present in some events and not in others.  The only fields we can be sure will have 100% coverage are _time, index, source, sourcetype, and host.

If you have a certain field that is supposed to be in all events, but if not then try this query to find the events that are missing it.

 

index=foo sourcetype=bar NOT field=*

 

The rex command extracts fields, but won't tell you which fields are in all events.

The regex command can filter out events that are missing certain fields.  That's not much different from the query above, however.

 

| regex field!=".*"

 

 I'm not aware of any REST command that returns field information.

If you're trying to test the CIM compliance of your data then try the CIM Validator app at https://splunkbase.splunk.com/app/2968/

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...