Splunk Search

Unable to get results for Splunk search after adding a field from the "interesting fields" list--why?


I am unable to get any values for my search when I add a field from the interesting fields list. It is happening only for one field and that particular field does have results.

Consider I have a following field value pair in my event "name = xyz".

"index=abc name xyz", "index=abc name"," index=abc xyz" 

gives me the results for this search, but not for index=abc name=xyz or index=abc name="xyz".
Can anyone help me with this and let me know how to resolve this issue?

0 Karma

Path Finder

A field can only be interesting if it occurs in at least 90X% (is it 95?) of all events in the returned results. The way to add it to the fields sidebar if it is NOT interesting is to add it to the Selected Fields list:
Click All Fields.
The Select Fields dialog box shows a list of fields in your events and ALL fields will be shown.
The # of Values column shows the number of unique values for each field in the events.
Search for your field name and click the checkbox next to it.
Click save.

You can also click the > icon icon next to your event under the i header on the events tab to turn it into a v and this will show you ALL fields for that event, even the ones that are not interesting.

0 Karma


The problem with that particular field is it is not returning any values once I select it to the search query, but it is assigned with few values from the logs. I am not caring whether it is in selected fields or Interesting fields set. Is there any way I can set the extraction properly so that I can get the results once I select it?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...