Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Undefined Fields are in Splunk

kpavan
Path Finder
‎10-27-2014 01:45 AM

Hi All,

Am getting undefined fields in splunk, since all my conf files are configured correctly. If am searching the logs with less than 15 min am getting the fields correctly, but if the search period is more than 15min all my fields state are undefined. What would be the issue could you please help me find solution and fix.

Thanks!

Tags (2)
Reply

Muryoutaisuu
Communicator
‎12-09-2014 12:43 AM

Hi

We have the same phenomenon too.
One single event messes up all fields. If searched without that event, everything works great. As soon as the specific event is loaded, the following happens:

  • The list of fields on the left seems normal at first glance, numbers on the right of each field indicate number of different results as usual
  • When clicking on a field link, the box shows up and the field is named "undefined"
  • Although the field should have 19 different values, there shows up only one value "null" with 100% occurrence and count=5, for each field!
  • Below the title in this box it says: "1 Value, 0.001% of events"
  • When shortened the timerange, I even get "1 Value, 0% of events" on 112 found results. How can it have a value but not affecting any event? Still, the value is "null"

However, analysing the data still works. So a | stats count by shows data and count with proper values, even with the evil event!

This happened to me for the very first and only time. When comparing the two events, I don't see any differences in the pattern.
I'm sorry but I'm not allowed to share the events because of data privacy reasons.
I still hope this might help for further investigation.

0 Karma
Reply

tom_frotscher
Builder
‎10-27-2014 03:51 AM

Could you provide some sample results were it went correctly and incorrectly?

0 Karma
Reply

kpavan
Path Finder
‎10-28-2014 12:32 AM

Below are example logs

Logs are undefined fields:
10/28/2014 06:28:50 -0700 - AUTHZ_SUCCESS - GET - hostname/group/reports/-/consumer/WSRP_10132_332e2c30_0bb44ddba59baef8c2c8226f/normal/view/cacheLevelPage/WDJOMWMzUnZiVkpsY0c5eWRITlFiM0owYkdWMFgxZEJVbDlwWTJWd2IzSjBZV3hmZDNOeWNEMHg*?p_p_lifecycle=2&p_p_resource_id=getReportList&p_p_col_id=column-3&p_p_col_count=1&_WSRP_10132_332e2c300bb44ddba59baef8c2c8226f_wsrp-resourceCacheability=cacheLevelPage&undefined=undefined&=1414474130364 - uid=xyz,ou=users,ou=people,dc=xyz,dc=com - 06:28:50 - http - xyz_webgate - - 2uid=qatest110781@zys.com

Logs are defined and correct fields
0/28/2014 07:24:39 -0700 - AUTHZ_SUCCESS - GET - HOSTNAME- x.x.x.x - www.xyz.com/autologin - uid=stefanlay@xyz.com ,ou=customers,ou=people,dc=xyz,dc=com - 07:24:39 - http - xyz - - 2uid=stefanlay@xyz.com

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...