hello -- i have a question about fields that are identified as field1, field2, field3.... they are showing for me but not for my co workers after a search is returned. Here is my query:
sourcetype="apache_combined" uri="*/web/int/*" | stats count, avg(field11)
the field11 in my case is the response time and it displays for me but not for others... please assist if you know what i can try?
it also could be that your coworkers have a field extraction in their /etc/users folder that is interfering with yours, meaning e.g. you both try to extract a "action" field, private will always take precedence over in app shared objects.
Make sure you both have the same roles. If you don't have the same roles, check that you can both access the same objects - indexes, extracted/calculated fields, etc.
If you are searching in Verbose Mode, make sure your coworker is also using Verbose Mode.
Thank you for the response Rich. I asked our Splunk Admin to compare my roles with my co worker to ensure we both have same access for objects - indexes, extracted/calculated fields, etc
I asked my co-worker to search in 'Verbose' mode as well, but that had the same problem with field11 not returning anything.
I'll post here what my Splunk Admin comes back with after he compares our roles
The search is being performed directly from the splunk search bar against an apache_combined sourcetype file. The count is returned just fine but the field11 is not for my colleagues.
I also have a dashboard for this query and it is setup for 'App' sharing and that experiences the same issue.