Splunk Search

Splunk search context.

Splunker
Communicator

Hi,

Something i've always wondered but never thought to ask.

In v4.x of Splunk (currently using v4.2, but have seen the same behaviour in older 4.x versions), why does Splunk show different fields on the left when looking at the same data a different way?

For example. Assume i have Radius logs, and their coming from host=1.2.3.4 as well as being sourcetype'ed as radius_logs.

If i search for "host=1.2.3.4" i see my Radius fields, (Caller_ID, NAS-IP-Address, etc) but when searching for "sourcetype=radius_logs" i dont see my fields (just the default Splunk ones like host, source, sourcetype, etc..)

I assume Splunk's search is contextual, but was hoping someone could elaborate further on why this behaviour occurs, so i can plan my searches accordingly 🙂

Thanks!

Tags (1)
0 Karma
1 Solution

mkashif
Explorer

Hello,

There can be 2 things regarding your question

1) The field you created is not set as being shown. You can select it to be shown by clicking the pick fields option at the bottom of field list. In this way Splunk will show your field.

2) The fields in Splunk appear w.r.t contents in your search result. When you are searching by giving specific IP, the search result comes up with data specific to the IP you mentioned. In this case the field (i.e. the ip address you specified) is always occurring in your search and hence your field is also appearing in field list.
However in generic search its not necessary that your requested field is appearing in the log. The fields related to data not available in search result are not shown by Splunk because these fields are irrelevant to that search

Keep in mind, if you have created a field from a search where the IP address was appearing in 2nd column of log will not work with the search where IP address is appearing in some other column of log [instead of 2nd column]

View solution in original post

0 Karma

Splunker
Communicator

Hi mkashif,

Understand what your saying, and agree. I was more wondering how Splunk decides which fields to display on the left hand-side column.

I'm seeing roughly the same data doing either search (host=1.2.3.4 or sourcetype=radius_logs), i was just wondering how Splunk decides to display a field name variable in the picker on the left-hand-side.

Together with your answer and others i think i understand now why this occurs.

Many thanks for your help and everyone who replied!

0 Karma

mkashif
Explorer

Hello,

I am sorry that i didnt got your question accurately.

What i got is that you are having a format fluctuation in your logs. The log pattern is not same throughout. Am i right ?

You can filter out all the formats using punct command. It will filter out all the formats e.g. it will categorize your logs with DNS and without DNS, then you can filter your search further

Regards,

0 Karma

mw
Splunk Employee
Splunk Employee

There is a threshold which determines whether a field will show up under the "Other interesting fields" section. I'm not sure exactly what the number is, but as an example, if a field is common to 60% of the events, then it would show up there, whereas anything lower would not and you'd have to click on the field picker to see it. Obviously, what I'm searching for will often determine the frequency of a particular field showing up. If I search for "src_ip=1.2.3.4", the "src_ip" field will occur 100% of the time in the results. Those same events may also sometimes carry a DNS name though, "src_host" for instance, which may not always be populated -- I didn't specify that it was required through my search, therefore it will show only if it occurs frequently enough to be considered "interesting".

Splunker
Communicator

Thanks. That puts things in perspective a bit. It helps me structure the searches in a way my users can see the fields and write more specific searches. Cheers!

0 Karma

mkashif
Explorer

Hello,

There can be 2 things regarding your question

1) The field you created is not set as being shown. You can select it to be shown by clicking the pick fields option at the bottom of field list. In this way Splunk will show your field.

2) The fields in Splunk appear w.r.t contents in your search result. When you are searching by giving specific IP, the search result comes up with data specific to the IP you mentioned. In this case the field (i.e. the ip address you specified) is always occurring in your search and hence your field is also appearing in field list.
However in generic search its not necessary that your requested field is appearing in the log. The fields related to data not available in search result are not shown by Splunk because these fields are irrelevant to that search

Keep in mind, if you have created a field from a search where the IP address was appearing in 2nd column of log will not work with the search where IP address is appearing in some other column of log [instead of 2nd column]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...