I'm missing ALL of the interesting fields.
I used to see such things as date_hour, date_minute, etc, etc. If I manually add those to the search, they show up in "Interesting Fields".
Same with my custom fields in splunk/etc/apps/search/local/props.conf
. If I add them to the search, they'll show up under "Interesting Fields".
If I go to "Extract New Fields", and click on a line, they show up as already defined.
Interesting fields only show up if there more that 20% of the events with that field. Having said that, what mode is your search set to? Interesting fields will not show in Fast mode. Try changing it to Smart or Verbose
Interesting fields only show up if there more that 20% of the events with that field. Having said that, what mode is your search set to? Interesting fields will not show in Fast mode. Try changing it to Smart or Verbose
thank you. i was on fast mode too.
One way to see those even in fast mode is add “| fields *” after your 1st part. Is it wise or not is another story….
what a freaking life saver. i was on fast mode