Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Undefined Fields are in Splunk

kpavan
Path Finder
‎10-27-2014 01:45 AM

Hi All,

Am getting undefined fields in splunk, since all my conf files are configured correctly. If am searching the logs with less than 15 min am getting the fields correctly, but if the search period is more than 15min all my fields state are undefined. What would be the issue could you please help me find solution and fix.

Thanks!

Tags (2)
Reply

Muryoutaisuu
Communicator
‎12-09-2014 12:43 AM

Hi

We have the same phenomenon too.
One single event messes up all fields. If searched without that event, everything works great. As soon as the specific event is loaded, the following happens:

  • The list of fields on the left seems normal at first glance, numbers on the right of each field indicate number of different results as usual
  • When clicking on a field link, the box shows up and the field is named "undefined"
  • Although the field should have 19 different values, there shows up only one value "null" with 100% occurrence and count=5, for each field!
  • Below the title in this box it says: "1 Value, 0.001% of events"
  • When shortened the timerange, I even get "1 Value, 0% of events" on 112 found results. How can it have a value but not affecting any event? Still, the value is "null"

However, analysing the data still works. So a | stats count by shows data and count with proper values, even with the evil event!

This happened to me for the very first and only time. When comparing the two events, I don't see any differences in the pattern.
I'm sorry but I'm not allowed to share the events because of data privacy reasons.
I still hope this might help for further investigation.

0 Karma
Reply

tom_frotscher
Builder
‎10-27-2014 03:51 AM

Could you provide some sample results were it went correctly and incorrectly?

0 Karma
Reply

kpavan
Path Finder
‎10-28-2014 12:32 AM

Below are example logs

Logs are undefined fields:
10/28/2014 06:28:50 -0700 - AUTHZ_SUCCESS - GET - hostname/group/reports/-/consumer/WSRP_10132_332e2c30_0bb44ddba59baef8c2c8226f/normal/view/cacheLevelPage/WDJOMWMzUnZiVkpsY0c5eWRITlFiM0owYkdWMFgxZEJVbDlwWTJWd2IzSjBZV3hmZDNOeWNEMHg*?p_p_lifecycle=2&p_p_resource_id=getReportList&p_p_col_id=column-3&p_p_col_count=1&_WSRP_10132_332e2c300bb44ddba59baef8c2c8226f_wsrp-resourceCacheability=cacheLevelPage&undefined=undefined&=1414474130364 - uid=xyz,ou=users,ou=people,dc=xyz,dc=com - 06:28:50 - http - xyz_webgate - - 2uid=qatest110781@zys.com

Logs are defined and correct fields
0/28/2014 07:24:39 -0700 - AUTHZ_SUCCESS - GET - HOSTNAME- x.x.x.x - www.xyz.com/autologin - uid=stefanlay@xyz.com ,ou=customers,ou=people,dc=xyz,dc=com - 07:24:39 - http - xyz - - 2uid=stefanlay@xyz.com

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...