Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why would a query using a predefined field work for me but not for my coworkers?

dchima
Path Finder
‎01-28-2019 02:42 PM

hello -- i have a question about fields that are identified as field1, field2, field3.... they are showing for me but not for my co workers after a search is returned. Here is my query:

sourcetype="apache_combined"  uri="*/web/int/*" | stats  count, avg(field11)

the field11 in my case is the response time and it displays for me but not for others... please assist if you know what i can try?

Tags (3)
0 Karma
Reply

dkeck
Influencer
‎01-29-2019 09:41 AM

HI,

it also could be that your coworkers have a field extraction in their /etc/users folder that is interfering with yours, meaning e.g. you both try to extract a "action" field, private will always take precedence over in app shared objects.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2019 03:15 PM

Make sure you both have the same roles. If you don't have the same roles, check that you can both access the same objects - indexes, extracted/calculated fields, etc.

If you are searching in Verbose Mode, make sure your coworker is also using Verbose Mode.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dchima
Path Finder
‎01-28-2019 03:31 PM

Thank you for the response Rich. I asked our Splunk Admin to compare my roles with my co worker to ensure we both have same access for objects - indexes, extracted/calculated fields, etc

I asked my co-worker to search in 'Verbose' mode as well, but that had the same problem with field11 not returning anything.

I'll post here what my Splunk Admin comes back with after he compares our roles

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎01-28-2019 07:42 PM

Also make sure you are doing the search in the same app and the permissions on the field extraction are set for the app, and just not private.

0 Karma
Reply

dchima
Path Finder
‎01-29-2019 09:31 AM

The search is being performed directly from the splunk search bar against an apache_combined sourcetype file. The count is returned just fine but the field11 is not for my colleagues.

I also have a dashboard for this query and it is setup for 'App' sharing and that experiences the same issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...