Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A new search field no longer shows in Interesting Fields to be selected

Splunk2016
Path Finder
‎04-09-2015 01:46 PM

I would appreciate any comments:

1) Added "Total" as one of my Selected Fields from the following search (this worked fine):

host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")")

2) Then I changed "Total" to "GrandTotal" and forgot to remove the previous "Total" from Selected Fields

host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as GrandTotal | eval GrandTotal=if(GrandTotal>0,"$".tostring(GrandTotal,"commas"),"($".tostring(GrandTotal*-1,"commas").")")

3) I then unchecked all Selected Fields
4) How do I get GrandTotal to appear in Interesting Fields? It no longer displays as an interesting new field. I tried changing back to Total and it no longer displays it under Interesting fields either.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-09-2015 02:11 PM

Interesting fields are fields that have values in over 20% of the events that are returned from your search. The amount of fields you see in interesting fields can also depend on your search mode (fast mode does not perform field discovery). If you go to "All Fields", you can then search for your field or change the threshold. From there, you can also make the field selected, even if it isn't considered an "interesting" field.

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-09-2015 02:11 PM

Interesting fields are fields that have values in over 20% of the events that are returned from your search. The amount of fields you see in interesting fields can also depend on your search mode (fast mode does not perform field discovery). If you go to "All Fields", you can then search for your field or change the threshold. From there, you can also make the field selected, even if it isn't considered an "interesting" field.

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

Splunk2016
Path Finder
‎04-09-2015 02:35 PM

"All Fields" do not show the "GrandTotal" . Coverage option is 100%. if fast mode does not perform field discovery
why did "Total" showed before but it no longer shows up under interesting fields? There are over 8,000 events returned from the search. Perhaps something got changed and I need to reset my splunk environment. Thanks!

I think I see my issue. Coverage option should be changed to "All Fields". Now I can see "GrandTotal"! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...