Splunk Search

Splunk search context.

Communicator

Hi,

Something i've always wondered but never thought to ask.

In v4.x of Splunk (currently using v4.2, but have seen the same behaviour in older 4.x versions), why does Splunk show different fields on the left when looking at the same data a different way?

For example. Assume i have Radius logs, and their coming from host=1.2.3.4 as well as being sourcetype'ed as radius_logs.

If i search for "host=1.2.3.4" i see my Radius fields, (Caller_ID, NAS-IP-Address, etc) but when searching for "sourcetype=radius_logs" i dont see my fields (just the default Splunk ones like host, source, sourcetype, etc..)

I assume Splunk's search is contextual, but was hoping someone could elaborate further on why this behaviour occurs, so i can plan my searches accordingly 🙂

Thanks!

Tags (1)
0 Karma
1 Solution

Explorer

Hello,

There can be 2 things regarding your question

1) The field you created is not set as being shown. You can select it to be shown by clicking the pick fields option at the bottom of field list. In this way Splunk will show your field.

2) The fields in Splunk appear w.r.t contents in your search result. When you are searching by giving specific IP, the search result comes up with data specific to the IP you mentioned. In this case the field (i.e. the ip address you specified) is always occurring in your search and hence your field is also appearing in field list.
However in generic search its not necessary that your requested field is appearing in the log. The fields related to data not available in search result are not shown by Splunk because these fields are irrelevant to that search

Keep in mind, if you have created a field from a search where the IP address was appearing in 2nd column of log will not work with the search where IP address is appearing in some other column of log [instead of 2nd column]

View solution in original post

0 Karma

Communicator

Hi mkashif,

Understand what your saying, and agree. I was more wondering how Splunk decides which fields to display on the left hand-side column.

I'm seeing roughly the same data doing either search (host=1.2.3.4 or sourcetype=radius_logs), i was just wondering how Splunk decides to display a field name variable in the picker on the left-hand-side.

Together with your answer and others i think i understand now why this occurs.

Many thanks for your help and everyone who replied!

0 Karma

Explorer

Hello,

I am sorry that i didnt got your question accurately.

What i got is that you are having a format fluctuation in your logs. The log pattern is not same throughout. Am i right ?

You can filter out all the formats using punct command. It will filter out all the formats e.g. it will categorize your logs with DNS and without DNS, then you can filter your search further

Regards,

0 Karma

Splunk Employee
Splunk Employee

There is a threshold which determines whether a field will show up under the "Other interesting fields" section. I'm not sure exactly what the number is, but as an example, if a field is common to 60% of the events, then it would show up there, whereas anything lower would not and you'd have to click on the field picker to see it. Obviously, what I'm searching for will often determine the frequency of a particular field showing up. If I search for "src_ip=1.2.3.4", the "src_ip" field will occur 100% of the time in the results. Those same events may also sometimes carry a DNS name though, "src_host" for instance, which may not always be populated -- I didn't specify that it was required through my search, therefore it will show only if it occurs frequently enough to be considered "interesting".

Communicator

Thanks. That puts things in perspective a bit. It helps me structure the searches in a way my users can see the fields and write more specific searches. Cheers!

0 Karma

Explorer

Hello,

There can be 2 things regarding your question

1) The field you created is not set as being shown. You can select it to be shown by clicking the pick fields option at the bottom of field list. In this way Splunk will show your field.

2) The fields in Splunk appear w.r.t contents in your search result. When you are searching by giving specific IP, the search result comes up with data specific to the IP you mentioned. In this case the field (i.e. the ip address you specified) is always occurring in your search and hence your field is also appearing in field list.
However in generic search its not necessary that your requested field is appearing in the log. The fields related to data not available in search result are not shown by Splunk because these fields are irrelevant to that search

Keep in mind, if you have created a field from a search where the IP address was appearing in 2nd column of log will not work with the search where IP address is appearing in some other column of log [instead of 2nd column]

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!