Re: Search results don't show extracted field

cpenkert · ‎08-29-2011

I created a search time that works as expected when I do a search on only the sourcetype that I created the extraction for. If I add any search terms to the search string, the extracted field no longer shows up in the list of fields.

To try to clarify, I created a search time field extraction to pull a guid out of events. I tied this extraction to sourcetype=applogs. When I search on sourcetype=applogs, I can see the field in the list of fields. If I search for sourcetype=applogs AND error, the extracted field no longer shows up in the list of fields, despite the fact that the data is identical.

Thoughts?

Paolo_Prigione · ‎09-01-2011

You might want to further explore Nick's third suggestion before going this direction.
However, what if you try this search:

sourcetype=applogs error | search yourfield=an_existing_value | table _time yourfield

Does it return values? Do you see your field's column? I.e. is the field correctly extracted and still present in the search results?

In our experience the field picker sometimes does not show fields which apply to a limited subset of the returned events. Indeed, the fields are there and it is possible to use them from the search language.
We haven't tried this yet, but one workaround might be to modify the Flashtimeline view by altering the FieldPicker module's "fields" param like this:

<module name="TitleBar" layoutPanel="viewHeader"/>
          <module name="FieldPicker" layoutPanel="sidebar">
            <param name="fields">host sourcetype source YOURFIELD</param>
            <param name="link">

Good luck

sideview · ‎08-29-2011

Well there's three places you might mean by 'list of fields'.

1) The actual 'Selected Fields' section of the leftnav. This behavior would indeed be pretty strange in this one and I cant think of an explanation except the obvious one -- that the field extraction works in the events that dont contain the word 'error', but the extraction fails in the events that contain the word 'error'. This seems pretty unlikely though, simply because you would have picked up on it. 😃 So hopefully what you're actually seeing is in one of the other two places.

2) The 'Suggested Fields' section of the leftnav. This module will only show a given field if a couple simple heuristics apply. If the incidence of a field changes from query to query, particularly if it drops to where the field is not in very many events then this situation can arise where it can seem to disappear from query to query.

3) the Field Picker popup, where you choose the fields for the 'Selected fields' section. Even the Field Picker wont show fields that are present in less than 1% of the events. If it's the field picker that you mean, then with the field picker open, note the peculiar textbox near the top left, a textbox with a "%" over it, and with the number '1' inside it. Change this 1 to '0' and hit return and see if the field appears.

cpenkert · ‎09-01-2011

Any other feedback? If not by the end of the day, I'll open a case on this as I need it resolved.

cpenkert · ‎08-31-2011

Does anyone else have potential fixes for this?

cpenkert · ‎08-30-2011

It does not show up in any of the 3 areas. I would expect to see it in the field picker at a minimum. The field in question is in 100% of the events that I am getting back in my search results.
I went into the field picker and changed the % from 1 to 0 and hit return, but it also did not make a difference.

Search results don't show extracted field

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk