Refine your search:

Custom fields not always showing up

4

I have a Splunk app that parses some Snort files and assigns some fields to the content. The app works fine from the Splunk web page, but when I use the REST API (via Splunk for Java) I do not get my custom fields back unless they are in the search criteria. For instance, if I search for "src_ip_addr=*" then I will get the fields back in the results, otherwise I don't.

I used to get them back regardless in Splunk 4.0. What do I need to change to get them to always come back for my sourcetype?

Thanks for any help...

-Brian

asked 17 Jun '10, 19:45

klumpba's gravatar image

klumpba
411
accept rate: 0%

edited 17 Jun '10, 19:56

Lowell's gravatar image

Lowell ♦
9.6k637
2 Answers:
oldestnewestmost voted
2

Certain field extractions are automatic disabled in 4.1 when it appears that the field is not needed. (An interactive search from splunk's web interface all fields are enabled.)

I think all you should have to do is add a fields command to your search. Something like:

your search | fields src_ip_addr

You may also get the same effect by explicitly passing in the required_field_list to your dispatch request. (Was this just called fields in a previous version of the API? Maybe I'm remembering this incorrectly.) It seems like this should do the trick too, but I'm not 100% sure.

link

answered 17 Jun '10, 19:55

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

Ah, thanks! Tossing "fields" in there did the trick. Thanks!

(18 Jun '10, 15:57) klumpba
1

The other option is to use the required_field_list and status_bucket (anything over 0) during the POST:

status_buckets = integer

* defaults to 0.
* The most status buckets to generate. (0 = do not generate timeline information)

required_field_list = (comma separated list)

* default to empty
* This is the list of required fields that, even if not referenced or used directly by the search, will still be included by the events and summary endpoints.
link

answered 29 Sep '10, 19:18

kbains's gravatar image

kbains ♦
6688
accept rate: 26%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×352
×93
×81
×32

Asked: 17 Jun '10, 19:45

Seen: 853 times

Last updated: 29 Sep '10, 19:18

Related questions

Having trouble setting up delims-based field extraction, fields are not showing up

Problem Creating new search time field extraction Thru the REST API and Java Splunk SDK

Create new Field Extraction regex expression via REST API Java SDK

How to stop automatic field extraction from creating separate fields for each case variant on the same field name

Adding a field extraction causes other fields to disappear

Field extraction with duplicate values in fields

Fields through REST API

Automatic field extraction not extracting all the fields from a particular event

Copyright © 2005-2012 Splunk, Inc. All rights reserved.