Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why would a query using a predefined field work for me but not for my coworkers?

dchima
Path Finder
‎01-28-2019 02:42 PM

hello -- i have a question about fields that are identified as field1, field2, field3.... they are showing for me but not for my co workers after a search is returned. Here is my query:

sourcetype="apache_combined"  uri="*/web/int/*" | stats  count, avg(field11)

the field11 in my case is the response time and it displays for me but not for others... please assist if you know what i can try?

Tags (3)
0 Karma
Reply

dkeck
Influencer
‎01-29-2019 09:41 AM

HI,

it also could be that your coworkers have a field extraction in their /etc/users folder that is interfering with yours, meaning e.g. you both try to extract a "action" field, private will always take precedence over in app shared objects.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2019 03:15 PM

Make sure you both have the same roles. If you don't have the same roles, check that you can both access the same objects - indexes, extracted/calculated fields, etc.

If you are searching in Verbose Mode, make sure your coworker is also using Verbose Mode.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dchima
Path Finder
‎01-28-2019 03:31 PM

Thank you for the response Rich. I asked our Splunk Admin to compare my roles with my co worker to ensure we both have same access for objects - indexes, extracted/calculated fields, etc

I asked my co-worker to search in 'Verbose' mode as well, but that had the same problem with field11 not returning anything.

I'll post here what my Splunk Admin comes back with after he compares our roles

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎01-28-2019 07:42 PM

Also make sure you are doing the search in the same app and the permissions on the field extraction are set for the app, and just not private.

0 Karma
Reply

dchima
Path Finder
‎01-29-2019 09:31 AM

The search is being performed directly from the splunk search bar against an apache_combined sourcetype file. The count is returned just fine but the field11 is not for my colleagues.

I also have a dashboard for this query and it is setup for 'App' sharing and that experiences the same issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...