Hi at all,
I'm using Splunk 6.5.1.
I extracted eight fields from a sourcetype.
I'm trying to show them in a table and I can fully do it only in Verbose Mode, instead in Fast or Intelligent Mode, only the last two extracted fields aren't showed in my table (see attached screenshots).
All the eight fields are selected fields.
Someone encountered this problem?
Thank you.
Bye.
Giuseppe
P.S.: I found very many errors on 6.5.x (mine and in community), and I'm trying to delay upgrade in my installation, what do you think?
Is there any reason why your results are being reversed for the same query?
Have you checked fields for same time stamp for both the searches?
Is there any reason why your results are being reversed for the same query?
Have you checked fields for same time stamp for both the searches?
What happens if you put fields
before the table
command in "Intelligent mode"?
index=juniper failed | fields _time citrix Reason | table _time citrix Reason
same behavior!
Thanks.
Bye.
Giuseppe
Thanks.
What happens if you add a sourcetype to the initial filters in the first search segment?
Thanks niketnilay,
it's really a curious behavior: I thought that by default I had a sort by _time starting from the newest to the latest, instead in Verbose or Fast Mode, there are two different sort rules! both descending but with different starting point!
If I force sorting (e.g. by _time) I have the same result in both the Modes!
Thank you very much!
Bye.
Giuseppe