Re: Why is there unrelated fields to all my events...

ctaf · ‎02-19-2018

Hi,

I have a couple of fields that always appear in the output of the fieldsummary command.

I focused on one in particular to try to understand what is happening : "app:excessive_bandwidth".
It turns out that is it one field that comes from a datamodel (Palo Alto). But this field appear even in a unrealted sourcetype. I even modified this Data Model structure so that the root constraint take in account the palo alto index. But it didn't change anything, and data from others indexes still got this field.

Any idea why and how to prevent this ?

ctaf · ‎02-28-2018

Anyone please? 🙂

cpetterborg · ‎02-28-2018

Is the existence of the field causing you some kind of problem, or do you just not want to see that field from the fieldsummary command?

If you really want to find the source if the field, you may want to try debugging using splunk btool from the command line, or grep for the field within the SPLUNK_HOME/etc file structure.

ctaf · ‎03-02-2018

Hi,
I already checked with grep, this is how I found out it was in the palo alto App.
I just want it not to be found in the fieldsummary results. It is also found in the results when I do a "| outputlookup" without specifying specific fields before with a "table" command.

Why is there unrelated fields to all my events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life