Splunk Search

Default fields are not visible

ChhayaV
Communicator

Hi,
When I search with particular sourcetype, I get all the data and fields which are extracted are shown on the left side of the flashtimeline. But I'm not getting default fields like date_month, date_hour in interesting field section. Am I missing anything here?

0 Karma
1 Solution

linu1988
Champion

Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.

Try this:
Your search|eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month

By this way you will be able to use them at search time for charting/stats related queries.

View solution in original post

linu1988
Champion

Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.

Try this:
Your search|eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month

By this way you will be able to use them at search time for charting/stats related queries.

jfunderburg
Explorer

BUt if you eval on search head it is extremely slow process verse having the indexer only return valid data. I am now trying this with a 7.0.0 universal forwarder and the same issue STILL exists... When is splunk going to fix this obvious mistake?

0 Karma

Ayn
Legend

You can never change data in the index, so you don't have to worry.

0 Karma

ChhayaV
Communicator

Hi linu1988,

If i run search like this

sourcetype="INSPRODSP" |eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month

INSPRODSP has my all data, if run above query will this affect the existing timestamp of indexed events?

Or it'll just give me the default fields ?

I'm asking this because, I just want to make sure that above query will not affect the existing indexed data!!

0 Karma

ChhayaV
Communicator

"Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs."

I didn't understand this.If possible can u explain me in simple language?

0 Karma

Ayn
Legend

Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs. You could always recreate the date_* fields using eval's strftime function.

ChhayaV
Communicator

date_* fields and some timeendpos, timestartpos fields. I've loaded sharepoint logs. For the same logs in previous indexer they were visible. But in new indexer i've loaded same logs but they're not visible.

0 Karma

Ayn
Legend

Which specific fields are you missing? Just the date_* fields? Because these are not available for all sources, for instance they are not present for Windows event logs, among others.

0 Karma

ChhayaV
Communicator

yeah there not available even in "View all x fields" link.

0 Karma

jtworzydlo
Path Finder

Are the fields also unavailable under the "View all X fields" link?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...