Splunk Search

Unable to get results for Splunk search after adding a field from the "interesting fields" list--why?


I am unable to get any values for my search when I add a field from the interesting fields list. It is happening only for one field and that particular field does have results.

Consider I have a following field value pair in my event "name = xyz".

"index=abc name xyz", "index=abc name"," index=abc xyz" 

gives me the results for this search, but not for index=abc name=xyz or index=abc name="xyz".
Can anyone help me with this and let me know how to resolve this issue?

0 Karma

Path Finder

A field can only be interesting if it occurs in at least 90X% (is it 95?) of all events in the returned results. The way to add it to the fields sidebar if it is NOT interesting is to add it to the Selected Fields list:
Click All Fields.
The Select Fields dialog box shows a list of fields in your events and ALL fields will be shown.
The # of Values column shows the number of unique values for each field in the events.
Search for your field name and click the checkbox next to it.
Click save.

You can also click the > icon icon next to your event under the i header on the events tab to turn it into a v and this will show you ALL fields for that event, even the ones that are not interesting.

0 Karma


The problem with that particular field is it is not returning any values once I select it to the search query, but it is assigned with few values from the logs. I am not caring whether it is in selected fields or Interesting fields set. Is there any way I can set the extraction properly so that I can get the results once I select it?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...