Splunk Search

Why do my field extractions disappear from the left Fields Sidebar when more parameters are added to the search?

hanijamal
New Member

I lose my field extractions when I add a search parameter to my search:

THIS WORKS: (I see fields on the left hand side that i have setup in the base app via the props/transforms config)

index=myindex host=62643 OR host=62644 OR host=62645

THIS DOES NOT WORK: (I lose all my field extractions when I run the search below)

index=myindex host=62643 OR host=62644 "ProcessGroupID=CLPORT&Action=T"

btw: processgroupID is not an extracted field.. is that why I lose my configured fields when I try and free form search?

thanks!

0 Karma
1 Solution

gokadroid
Motivator

btw: processgroupID is not an extracted field.. is that why I lose my configured fields when I try and free form search?
Above statement should not affect ideally what shows up as a field as long as an extracted field is in the data / event you get returned on a search, however you can check following:

1) What mode are you running the search on, changing the mode might help return some of the fields (smart, verbose)

2) What is the coverage of the fields as generally even the extracted fields only appear if they occur in 1% data (it is a filter set on "All Fields" section. Go to fields side bar on left, click on All Fields, select the filter "All Fields" rather than 1%.

3) Check if the events returned on adding more "search string pattern" actually contain the lines where this extraction should be.

4) Check if the extractions were done on the same sourcetype from which the events are returned when you extend the search criteria to include more string.

5) Check any permission issues (scope ) you might have so that you are searching correct app/sourcetype and expecting the extractions.

Those are few I can think of 🙂

View solution in original post

0 Karma

gokadroid
Motivator

btw: processgroupID is not an extracted field.. is that why I lose my configured fields when I try and free form search?
Above statement should not affect ideally what shows up as a field as long as an extracted field is in the data / event you get returned on a search, however you can check following:

1) What mode are you running the search on, changing the mode might help return some of the fields (smart, verbose)

2) What is the coverage of the fields as generally even the extracted fields only appear if they occur in 1% data (it is a filter set on "All Fields" section. Go to fields side bar on left, click on All Fields, select the filter "All Fields" rather than 1%.

3) Check if the events returned on adding more "search string pattern" actually contain the lines where this extraction should be.

4) Check if the extractions were done on the same sourcetype from which the events are returned when you extend the search criteria to include more string.

5) Check any permission issues (scope ) you might have so that you are searching correct app/sourcetype and expecting the extractions.

Those are few I can think of 🙂

0 Karma

hanijamal
New Member

thanks for your reply

1) Smart and verbose (not fast)

2) tried selecting all fields.. extracted fields are still not there

3) yes, there are events present with extended search criterion

4) aha! this might be it.. though the extractions were done for the same sourcetype.. the event is different than what was used as a template to do the field extractions

5) checked permissions, users have full access to search data in the particular index and sourcetype

0 Karma

gokadroid
Motivator

So If 4) works well for you and if it solves it, please feel free to accept the answer and up vote 🙂

0 Karma

adamsaul
Communicator

hanijamal,

Your free form search can/may dwindle down the amount of field extractions you see on the sidebar. This is because as part of the WebUI, when you click on an additional field on the left, it will append it to your existing search command

Adam

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...