status 9

vipmakka · ‎05-24-2018

sourcetype=access_combined | fields clientip host action status

All Fields
Selected Fields
aaction 5
ahost 3
Interesting Fields
aclientip 100+

status 9

skoelpin · ‎05-24-2018

Interesting fields are key-value pairs that Splunk extracts when searching the data. When you dispatch a search, Splunk will try to identify delimiters such as an equal sign or colon and assign the value on the left as the field and the value on the right as the value. It will then take these key-value pairs and list them under interesting fields if that fields is atleast 20% of the search range by default. You can pop open the fields at the bottom of the selection and select any fields that you want at the top and they become selected fields

http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Aboutfields

View solution in original post

skoelpin · ‎05-24-2018

Interesting fields are key-value pairs that Splunk extracts when searching the data. When you dispatch a search, Splunk will try to identify delimiters such as an equal sign or colon and assign the value on the left as the field and the value on the right as the value. It will then take these key-value pairs and list them under interesting fields if that fields is atleast 20% of the search range by default. You can pop open the fields at the bottom of the selection and select any fields that you want at the top and they become selected fields

http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Aboutfields

goelt2000 · ‎07-03-2021

where are these extractions defined? I do not see anything under props.conf on search head which comes with default Splunk.

EXTRACT-<class> = [<regex>|<regex> in <src_field>]

For example: if I search for

index=_internal sourcetype=splunkd, I see a range of fields in "interesting fields".

Where in props.conf is the corresponding EXTRACT-<class> defined for it?

I assume: Selected fields= index time fields.

Interesting fields=search time extracted fields

ddrillic · ‎05-24-2018

In addition, @DalJeanis commented at Why sometimes sourcetype doesn't appear under Selected Fields?

-- An interesting field is any field that appears in 20% or more of the data, but is not a selected field. (You can change the 20% number if you want.)

DUThibault · ‎06-10-2019

@ddrillic "You can change the 20% number if you want." Where? Which .conf file or Splunk Web page?

bishtk · ‎10-09-2019

Hi @DUThibault , did you get any scope on where we can change this Interesting field filtering percentage?

niketn · ‎05-24-2018

@vipmakka, go through Splunk Fundamentals 1 free course where module 3 talks about this in details.

Once you complete the self paced e-learning course you are eligible to take an exam and become Splunk Certified User as well 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vipmakka · ‎05-24-2018

Thank you skoelpin!

What is an interesting field?

status 9

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation

What is an interesting field?

status 9

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...