Splunk Search

Is there a limit on the number of selected or interesting fields in Splunk?

Kukkadapu
Path Finder

Hi,

I have a log statement with almost 100 fields. When searched, it doesn't show all the fields in Selected fields nor in All fields tab. Is there a limitation for the number of fields in Splunk? If so, where do I change it?

I used the table command to make sure the missing fields are there, it's just not showing in the panel to the left.

Thanks.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The select fields menu filters by events with greater than 1% match by default. Did you change that?

alt text

0 Karma

sgadde
Explorer
0 Karma

Kukkadapu
Path Finder

Jkat54, I've the same settings. The coverage is 1% or more.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Change it to All Fields.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Also be sure you're searching in verbose mode.

0 Karma

Kukkadapu
Path Finder

Yes, I tried it , but no luck. It doesn't show all the fields.

0 Karma

Kukkadapu
Path Finder

But if I pipe

| fields abc then abc is showed in the fields list. But without that it doesn't show.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does it show in the fields picker if you change from 1% coverage to show all fields and then type the field name into the seacb bar in the fields picker? If so, just select the fields you want to see by default and they'll always be selected for your user when you're in that app context.

0 Karma

Kukkadapu
Path Finder

NO, It doesn't show even if I change the coverage

0 Karma

jkat54
SplunkTrust
SplunkTrust

I believe the other thing it does which may be causing the issue, is it only samples a certain number of events. I believe the limit is set under [associate] in limits.conf but i'm not 100% sure. I recommend opening a support case to get a definitive answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...