Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I not able to see my extracted field in Splunk Web?

manja054
Explorer
‎07-28-2015 07:33 AM

I am not able to see my extracted field.

I can see the field created under splunk/etc/users/local

Also, I added the same to props.conf, but still I am not able to see the field in Splunk Web.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2015 02:26 AM

Set the Search Mode Selector to Verbose Mode. First appearing in v5.0 (and restyled in v6.0) is a new Search Mode Selector control that, depending on how you set it, will either show all the data available for your search (at the expense of speed), or speed up and streamline your search in certain ways (mainly by skipping all field extractions). The selector is at the upper right-hand corner just below the search button. The Fast and Verbose modes represent the two ends of the search mode spectrum. The default Smart mode switches between them depending on the type of search that you are running. Whenever you first run a saved search, it will run in Smart mode. Be aware that the Search Mode Selector setting is part of your viewstate and in that regard is somewhat "stateful" meaning that you my find it automatically reset to unexpected values as you navigate through different views.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-28-2015 11:45 PM

It's also possible, that the field extracted shows up in a very lower percentage of events. If that's the case, it might not be automagically listed in the field list.

Click on All Fields
Below the words "Selected Fields" and the fields themselves are three links listed horizontally.
See where it says "Coverage 1% or more" ?
click it... it's a dropdown. Select ALL FIELDS.
Now search for your field.

the path splunk/etc/users/local is not a valid path
If it's under a specific user : splunk/etc/users/username/appname/local/props.conf then navigate to the app... and then run your search and you should see your field.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

somesoni2
Revered Legend
‎07-28-2015 01:14 PM

If you go to Settings -> Fields -> Field Extractions and select proper app, are you able to see those field extractions??/

0 Karma
Reply

mgoblue
Explorer
‎07-28-2015 12:55 PM

Where are you looking? The ones created using Extract New Fields show up under Settings > Fields > Field Extractions. When I run a search (and it finds data for it) it will show up in Interesting Fields or further below ###more fields.

0 Karma
Reply

manja054
Explorer
‎07-28-2015 10:12 PM

Yes, i am trying see extracted field under interesting fields.. but no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...