Splunk Search
Highlighted

Why am I not able to see my extracted field in Splunk Web?

Explorer

I am not able to see my extracted field.

I can see the field created under splunk/etc/users/local

Also, I added the same to props.conf, but still I am not able to see the field in Splunk Web.

Tags (1)
0 Karma
Highlighted

Re: Why am I not able to see my extracted field in Splunk Web?

Explorer

Where are you looking? The ones created using Extract New Fields show up under Settings > Fields > Field Extractions. When I run a search (and it finds data for it) it will show up in Interesting Fields or further below ###more fields.

0 Karma
Highlighted

Re: Why am I not able to see my extracted field in Splunk Web?

Explorer

Yes, i am trying see extracted field under interesting fields.. but no luck

0 Karma
Highlighted

Re: Why am I not able to see my extracted field in Splunk Web?

SplunkTrust
SplunkTrust

If you go to Settings -> Fields -> Field Extractions and select proper app, are you able to see those field extractions??/

0 Karma
Highlighted

Re: Why am I not able to see my extracted field in Splunk Web?

Splunk Employee
Splunk Employee

It's also possible, that the field extracted shows up in a very lower percentage of events. If that's the case, it might not be automagically listed in the field list.

Click on All Fields
Below the words "Selected Fields" and the fields themselves are three links listed horizontally.
See where it says "Coverage 1% or more" ?
click it... it's a dropdown. Select ALL FIELDS.
Now search for your field.

the path splunk/etc/users/local is not a valid path
If it's under a specific user : splunk/etc/users/username/appname/local/props.conf then navigate to the app... and then run your search and you should see your field.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Why am I not able to see my extracted field in Splunk Web?

Esteemed Legend

Set the Search Mode Selector to Verbose Mode. First appearing in v5.0 (and restyled in v6.0) is a new Search Mode Selector control that, depending on how you set it, will either show all the data available for your search (at the expense of speed), or speed up and streamline your search in certain ways (mainly by skipping all field extractions). The selector is at the upper right-hand corner just below the search button. The Fast and Verbose modes represent the two ends of the search mode spectrum. The default Smart mode switches between them depending on the type of search that you are running. Whenever you first run a saved search, it will run in Smart mode. Be aware that the Search Mode Selector setting is part of your viewstate and in that regard is somewhat "stateful" meaning that you my find it automatically reset to unexpected values as you navigate through different views.

0 Karma