Splunk Search

fields showed only in Verbose Mode

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'm using Splunk 6.5.1.
I extracted eight fields from a sourcetype.
I'm trying to show them in a table and I can fully do it only in Verbose Mode, instead in Fast or Intelligent Mode, only the last two extracted fields aren't showed in my table (see attached screenshots).
alt text
All the eight fields are selected fields.
Someone encountered this problem?
Thank you.
Bye.
Giuseppe
P.S.: I found very many errors on 6.5.x (mine and in community), and I'm trying to delay upgrade in my installation, what do you think?

0 Karma
1 Solution

niketn
Legend

Is there any reason why your results are being reversed for the same query?
Have you checked fields for same time stamp for both the searches?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Is there any reason why your results are being reversed for the same query?
Have you checked fields for same time stamp for both the searches?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rjthibod
Champion

What happens if you put fields before the table command in "Intelligent mode"?

index=juniper failed | fields _time citrix Reason | table _time citrix Reason

0 Karma

gcusello
SplunkTrust
SplunkTrust

same behavior!
Thanks.
Bye.
Giuseppe

0 Karma

rjthibod
Champion

Thanks.

What happens if you add a sourcetype to the initial filters in the first search segment?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Thanks niketnilay,
it's really a curious behavior: I thought that by default I had a sort by _time starting from the newest to the latest, instead in Verbose or Fast Mode, there are two different sort rules! both descending but with different starting point!
If I force sorting (e.g. by _time) I have the same result in both the Modes!
Thank you very much!
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...