Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why would a query using a predefined field work for me but not for my coworkers?

dchima
Path Finder
‎01-28-2019 02:42 PM

hello -- i have a question about fields that are identified as field1, field2, field3.... they are showing for me but not for my co workers after a search is returned. Here is my query:

sourcetype="apache_combined"  uri="*/web/int/*" | stats  count, avg(field11)

the field11 in my case is the response time and it displays for me but not for others... please assist if you know what i can try?

Tags (3)
0 Karma
Reply

dkeck
Influencer
‎01-29-2019 09:41 AM

HI,

it also could be that your coworkers have a field extraction in their /etc/users folder that is interfering with yours, meaning e.g. you both try to extract a "action" field, private will always take precedence over in app shared objects.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2019 03:15 PM

Make sure you both have the same roles. If you don't have the same roles, check that you can both access the same objects - indexes, extracted/calculated fields, etc.

If you are searching in Verbose Mode, make sure your coworker is also using Verbose Mode.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dchima
Path Finder
‎01-28-2019 03:31 PM

Thank you for the response Rich. I asked our Splunk Admin to compare my roles with my co worker to ensure we both have same access for objects - indexes, extracted/calculated fields, etc

I asked my co-worker to search in 'Verbose' mode as well, but that had the same problem with field11 not returning anything.

I'll post here what my Splunk Admin comes back with after he compares our roles

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎01-28-2019 07:42 PM

Also make sure you are doing the search in the same app and the permissions on the field extraction are set for the app, and just not private.

0 Karma
Reply

dchima
Path Finder
‎01-29-2019 09:31 AM

The search is being performed directly from the splunk search bar against an apache_combined sourcetype file. The count is returned just fine but the field11 is not for my colleagues.

I also have a dashboard for this query and it is setup for 'App' sharing and that experiences the same issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...