Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check missing fields and not generating 100 percentage

sasankganta
Path Finder
‎01-04-2021 03:55 AM

index="*" sourcetype="*" and I have field name with tag and it's generating 80% of events , how can I check why it's not generating 100% of events and where it's missing. 

Also , Is there any regex / resi api / rex query to get what are all the fields generating 100% events , and if it's <100% whe

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:17 AM

You don't need git.  Just download the app from github and install it on Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sasankganta
Path Finder
‎01-15-2021 07:27 AM

Also one more, Index=A sourcetype=B and I can see under fields category filed "C" with count of 10k+ values ..

But if I search with  Index=A sourcetype=B category=C , It is showing No results found tried in all the search modes didn't worked. source tcp:9997 . Can you please suggest what can be the issue. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:49 AM

I don't have an answer.  Sorry.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sasankganta
Path Finder
‎01-15-2021 06:39 AM

Thank you Mate for the documents. Yes for CIM validation, but don't have git in environment let me check possible ways. If you have any other suggestions will be grateful . 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-15-2021 07:17 AM

You don't need git.  Just download the app from github and install it on Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2021 07:57 AM

It's normal for a field to be present in some events and not in others.  The only fields we can be sure will have 100% coverage are _time, index, source, sourcetype, and host.

If you have a certain field that is supposed to be in all events, but if not then try this query to find the events that are missing it.

 

index=foo sourcetype=bar NOT field=*

 

The rex command extracts fields, but won't tell you which fields are in all events.

The regex command can filter out events that are missing certain fields.  That's not much different from the query above, however.

 

| regex field!=".*"

 

 I'm not aware of any REST command that returns field information.

If you're trying to test the CIM compliance of your data then try the CIM Validator app at https://splunkbase.splunk.com/app/2968/

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...