Splunk Search

Unable to get results for Splunk search after adding a field from the "interesting fields" list--why?

rangineniarunku
Explorer

I am unable to get any values for my search when I add a field from the interesting fields list. It is happening only for one field and that particular field does have results.

ex:
Consider I have a following field value pair in my event "name = xyz".

"index=abc name xyz", "index=abc name"," index=abc xyz" 

gives me the results for this search, but not for index=abc name=xyz or index=abc name="xyz".
Can anyone help me with this and let me know how to resolve this issue?

0 Karma

mhouse3
Path Finder

A field can only be interesting if it occurs in at least 90X% (is it 95?) of all events in the returned results. The way to add it to the fields sidebar if it is NOT interesting is to add it to the Selected Fields list:
Click All Fields.
The Select Fields dialog box shows a list of fields in your events and ALL fields will be shown.
The # of Values column shows the number of unique values for each field in the events.
Search for your field name and click the checkbox next to it.
Click save.

You can also click the > icon icon next to your event under the i header on the events tab to turn it into a v and this will show you ALL fields for that event, even the ones that are not interesting.

0 Karma

rangineniarunku
Explorer

The problem with that particular field is it is not returning any values once I select it to the search query, but it is assigned with few values from the logs. I am not caring whether it is in selected fields or Interesting fields set. Is there any way I can set the extraction properly so that I can get the results once I select it?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...