Splunk Search

Why does field not appear in the list of available fields?

bolopez
Explorer

Hello,

I have a field that does not appear in the list of fields on the left when doing a search. I have looked for information on the internet about what could be the cause and the solution to this problem, but in my case it is not because I do not make the search in "Verbose mode", it does not appear in less than 1% of events and it is not because I have not chosen All Fields in the "X more fields" section, which apparently are the reasons why most people have this problem. What surprises me is that when I create another "Extraction field" the field I need appears in the list of available fields, so I can't create another field that collects the same as the field in question (from the GUI). The only solution I have found, which in principle does not work for me because I need it to be visible in the list I mentioned before, is to do the search using the rex command or the extract reload=T command.

So, my question is, do I have to make any changes in any configuration file or could I do something to make the field I need available in the list of available fields I mentioned above (the one in the left when you make a search)? Thanks in advance and best regards.

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
Legend

Hi @bolopez,

in the screenshot you share there's a button "Move", using it you cam move an object (like a field) in another app.

Anyway, being Global this should be the problem.

If using the rex command it runs, try to create it again in your app.

Ciao.

Giuseppe

View solution in original post

gcusello
Legend

Hi @bolopez,at first check if you have too few occurrencies, adding to your search

your_search your_field=*

if you see it, click on Interesting field so you'll see it everytime.

If you don't see it, try to run the extraction rex using the rex command to check if it's correct.

If it extract field, you have to understand where the field extraction is (maybe is in another app9 and the grants.

If the field is still missing the problem si the extraction rex.

If you want an help in rex extraction, please share some sample and the indication of what you want to extract.

Ciao.

Giuseppe

0 Karma

bolopez
Explorer

Hi @gcusello,

Thank you for your early response!! I have tried the search using my_field=* and it doesn't appear in the list. If I search using the rex command the field appear more than 100 times. In response to the fact that it may be in another application, when I go to look at the extracted fields in "Settings > Fields > Field extractions" that field appears as "EXTRACT-status", since status is the name of the field, and it says that the App is "search". So, what can be done to solve the problem?

0 Karma

gcusello
Legend

Hi @bolopez,

you have two solutions:

  • you can share this field extraction at global level, so it will be visible in all apps not only in Search,
  • move this field extraction in your App.

I hint to move the field extraction in your App.

This is the reason why it isn't a good idea to develop everything in the Search App!

Ciao.

Giuseppe

0 Karma

bolopez
Explorer

Hi @gcusello

This is what appears in the Field extractions, as you can see it is in Global already, and it was shared like that since the beginning and it was not appearing. As I'm new to Splunk, can you explain what do you mean when you say "move the extraction field in your App", please? Thank you in advance.

 

0 Karma

gcusello
Legend

Hi @bolopez,

in the screenshot you share there's a button "Move", using it you cam move an object (like a field) in another app.

Anyway, being Global this should be the problem.

If using the rex command it runs, try to create it again in your app.

Ciao.

Giuseppe

bolopez
Explorer

Hi @gcusello

I have deleted the status field and created another one with another name that contains the same information and now it appears in the list. I tried this some time ago and it still didn't work, so I don't really understand why it didn't appear before. In any case, thank you very much for your help!!!!

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...