Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to get results for Splunk search after adding a field from the "interesting fields" list--why?

rangineniarunku
Explorer
‎08-10-2017 01:32 PM

I am unable to get any values for my search when I add a field from the interesting fields list. It is happening only for one field and that particular field does have results.

ex:
Consider I have a following field value pair in my event "name = xyz". 

"index=abc name xyz", "index=abc name"," index=abc xyz"

gives me the results for this search, but not for index=abc name=xyz or index=abc name="xyz".
Can anyone help me with this and let me know how to resolve this issue?

0 Karma
Reply

mhouse3
Path Finder
‎08-10-2017 02:09 PM

A field can only be interesting if it occurs in at least 90X% (is it 95?) of all events in the returned results. The way to add it to the fields sidebar if it is NOT interesting is to add it to the Selected Fields list:
Click All Fields.
The Select Fields dialog box shows a list of fields in your events and ALL fields will be shown.
The # of Values column shows the number of unique values for each field in the events.
Search for your field name and click the checkbox next to it.
Click save.

You can also click the > icon icon next to your event under the i header on the events tab to turn it into a v and this will show you ALL fields for that event, even the ones that are not interesting.

0 Karma
Reply

rangineniarunku
Explorer
‎08-10-2017 02:15 PM

The problem with that particular field is it is not returning any values once I select it to the search query, but it is assigned with few values from the logs. I am not caring whether it is in selected fields or Interesting fields set. Is there any way I can set the extraction properly so that I can get the results once I select it?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...