Splunk Search

Undefined Fields are in Splunk

kpavan
Path Finder

Hi All,

Am getting undefined fields in splunk, since all my conf files are configured correctly. If am searching the logs with less than 15 min am getting the fields correctly, but if the search period is more than 15min all my fields state are undefined. What would be the issue could you please help me find solution and fix.

Thanks!

Tags (2)

Muryoutaisuu
Communicator

Hi

We have the same phenomenon too.
One single event messes up all fields. If searched without that event, everything works great. As soon as the specific event is loaded, the following happens:

  • The list of fields on the left seems normal at first glance, numbers on the right of each field indicate number of different results as usual
  • When clicking on a field link, the box shows up and the field is named "undefined"
  • Although the field should have 19 different values, there shows up only one value "null" with 100% occurrence and count=5, for each field!
  • Below the title in this box it says: "1 Value, 0.001% of events"
  • When shortened the timerange, I even get "1 Value, 0% of events" on 112 found results. How can it have a value but not affecting any event? Still, the value is "null"

However, analysing the data still works. So a | stats count by shows data and count with proper values, even with the evil event!

This happened to me for the very first and only time. When comparing the two events, I don't see any differences in the pattern.
I'm sorry but I'm not allowed to share the events because of data privacy reasons.
I still hope this might help for further investigation.

0 Karma

tom_frotscher
Builder

Could you provide some sample results were it went correctly and incorrectly?

0 Karma

kpavan
Path Finder

Below are example logs

Logs are undefined fields:
10/28/2014 06:28:50 -0700 - AUTHZ_SUCCESS - GET - hostname/group/reports/-/consumer/WSRP_10132_332e2c30_0bb44ddba59baef8c2c8226f/normal/view/cacheLevelPage/WDJOMWMzUnZiVkpsY0c5eWRITlFiM0owYkdWMFgxZEJVbDlwWTJWd2IzSjBZV3hmZDNOeWNEMHg*?p_p_lifecycle=2&p_p_resource_id=getReportList&p_p_col_id=column-3&p_p_col_count=1&_WSRP_10132_332e2c300bb44ddba59baef8c2c8226f_wsrp-resourceCacheability=cacheLevelPage&undefined=undefined&=1414474130364 - uid=xyz,ou=users,ou=people,dc=xyz,dc=com - 06:28:50 - http - xyz_webgate - - 2uid=[email protected]

Logs are defined and correct fields
0/28/2014 07:24:39 -0700 - AUTHZ_SUCCESS - GET - HOSTNAME- x.x.x.x - www.xyz.com/autologin - uid=[email protected] ,ou=customers,ou=people,dc=xyz,dc=com - 07:24:39 - http - xyz - - 2uid=[email protected]

alt text

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...