Splunk Search

How to get the details of a field value that does not appear in search results?

moiezuddin
Explorer

How to get the details of field app=sencer, when it not shown in the values for the app field?

Tags (2)
0 Karma

markthompson
Builder

Do you mean on your search results?

If so - On the left hand side is a panel that says "Fields", scroll to the bottom and it'll say "All Fields" Click that and it will bring up a list of all fields on that event. Select the tickbox and clicks save and it will show up.

If not - and you're trying to search for the field, as long as it exists, a simple

search ... | where app = "sencer"

Should do the trick

0 Karma

moiezuddin
Explorer

im trying to search for the field

index=casm_prod sourcetype=smtrace | where app = "sencer"

Not result, but i can see anthor application listed in app values except "sencer"

0 Karma

markthompson
Builder

Also, be aware that you should use the table function inbetween, as it creates an output.

0 Karma

markthompson
Builder

As a shorter way, just include it in your original search index=casm_prod sourcetype=smtrace app=sencer

0 Karma

markthompson
Builder

try putting it in brackets WHERE (app="sencer")

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...