Solved: After indexing data in Splunk, the field is presen...

Alaza · ‎12-26-2017

Hello,

After indexing data, I can find the events in Splunk. All the events have the field_1 equals to 0 or 1.
But unfortunately although the field is visible in the event I can't filter on it.

index="test" | where isnull(field_1)

It returns events, but the events have the field_1 not null. But Splunk doesn't recognize it.
If I filter on field_1=1, it returns the events with field_1=1 but not all, some events have the field_1 not recognized.

I tried to extract a new field on these events, but it didn't work.
Thanks for your help.

DalJeanis · ‎12-26-2017

Okay, first, make sure you are doing this test with verbose mode one. Second, do this

index="test" 
| eval field_1=coalesce(field_1,"None") 
| eval matched=case(field_1!="None",1) 
| stats count sum(matched) as matched by field_1 
| eventstats sum(count) as totalCount sum(matched) as matched 
| eval pctMatched=case(field_1!="None",round(100*count/matched,2)) 
| eval pctTotal=round(100*count/totalcount,2)
| table field_1 count pctTotal pctMatched

The result should tell you how many you have of each type. If there are any with the value "None", then it means your extraction is not acting correctly. (Which we pretty much know.)

Next, do this

index="test"

Look at the interesting fields to the left, and click on field_1. Look at what percentage of events have this field on them. This should match exactly to the results of the prior test.

If the above results are consistent, then you need to check your extraction and see what is different about the events where the extraction did not occur.

View solution in original post

DalJeanis · ‎12-26-2017

Okay, first, make sure you are doing this test with verbose mode one. Second, do this

index="test" 
| eval field_1=coalesce(field_1,"None") 
| eval matched=case(field_1!="None",1) 
| stats count sum(matched) as matched by field_1 
| eventstats sum(count) as totalCount sum(matched) as matched 
| eval pctMatched=case(field_1!="None",round(100*count/matched,2)) 
| eval pctTotal=round(100*count/totalcount,2)
| table field_1 count pctTotal pctMatched

The result should tell you how many you have of each type. If there are any with the value "None", then it means your extraction is not acting correctly. (Which we pretty much know.)

Next, do this

index="test"

Look at the interesting fields to the left, and click on field_1. Look at what percentage of events have this field on them. This should match exactly to the results of the prior test.

If the above results are consistent, then you need to check your extraction and see what is different about the events where the extraction did not occur.

Alaza · ‎12-27-2017

Thanks for the return, the first result show me 17 "None". I checked my extraction.
I found the issue, the extraction of a field before field_1 contain a description with at the end ''.

That's why the field_1 is not extracted.

Thanks for your help.

DalJeanis · ‎12-28-2017

Glad to be of assistance.

niketn · ‎12-26-2017

@Alaza, on the left hand side in the interesting fields if field_1 is showing a value which you feel is incorrect, you can click on the same to add to the search. Please check what search filter gets added. See whether there are any leading/trailing space or something else. If you can please add sample data/screenshot of what actual issues you are seeing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

After indexing data in Splunk, the field is present in the event, but I can't filter on it

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases