Hi Guys,
I am confused right now with the OS nix data that are ingesting right now in our splunk, we have 2 search head btw.
When i search this query "(index=* tag=oshost tag=performance tag=cpu) " on both search head the fields are different. What would be the problem why the fields are different from each other?
Search head 1 Result:
---> The fields on this search head 1 was extracted the way we need it like for E.g (mem used & mem free).
Search head 2 Result:
---> The fields that we are seeing is the splunk default fields like for E.g (host, line count, index, tag). For us to be able to see the same fields on search head 1 we need to add/used "multikv" on our query.
I already checked the tag, eventtype, & user permission that we are using, seems to be fine.
Any suggestions would be appreciated. Thanks,
--
Michael
... View more