Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is one interesting field not always displayed, and what change do we need to make to have this field always appear by default?

sivapuvvada
Path Finder
‎06-06-2016 10:32 AM

I am not always getting one interesting field, even though I have selected all fields from the fields bar on the left side.

How does Splunk extract interesting fields by default? Where do we need to make a change if we want to always see this interesting field by default?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-06-2019 07:56 AM

The splunk settings that are causing the fields to exist are probably owned by those other apps but the permissions are set to App. You need to edit the permissions and change them to Global (AKA All Apps) so that it will take effect in any app.

Reply

woodcock
Esteemed Legend
‎06-07-2016 05:35 AM

You cannot make a field more interesting without making it more common (frequently occurring in your events). You can however make it a Selected field and then it will always appear. Do it like this:

Perform a search where the field exists for at least 1 search.
Click on All Fields in the upper right of the Fields area (left side of screen under timeline).
Type your field name into the Filter box in the Field Picker dialog that opens.
Mark/Select the checkbox next to your Field Name.
Dismiss the Field Picker dialog.

Now your field will show in the Selected Fields list and also underneath each event (as long as you are in List or Table mode).

Reply

pkumar9610
Explorer
‎08-06-2019 03:00 AM

@woodcock : When I click on All fields I see only 6 Fields on Search Head, what do I need to do to get all the fields back ?

I have raised issue in: https://answers.splunk.com/answers/763583/interesting-fields-missing-in-searchreporting-app.html?min...

0 Karma
Reply

kbarker302
Communicator
‎06-06-2016 11:17 AM

What mode are you searching in? (See the dropdown list on the right under the search icon.) Interesting fields do not show up in Fast Mode - they only show up in Smart or Verbose Mode. I'm not sure if there's a way to make them show up by default.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...