Dashboards & Visualizations

Field display problem converting views from 4.0 to 4.1.5?

Tisiphone_1
Explorer

Hi all,

I recently converted from 4.0.x to 4.1.5, and I found that all of my views broke. The searches still run, and state they have results, but not all the existing fields come through, so the data that is post-processed does not display properly.

Here is an example search for a person input into a form (if the field is not null):

index=my_index "searchstring" [ stats count | eval search=if("$Person$"=="NOTSPECIFIED"," ","user=$Person$ ") | fields - count ]

This used to search for a variable the user input in a form, and output the results with all fields intact. Now, only two or three of 40 some-odd resulting fields show up if I remove post process on the results. I've tried specifying all necessary fields in the search to no avail.

My search post processes are pretty basic, just "top" and "dedup" or specifying fields.

<table>
      <title>Top Users</title>
            <searchPostProcess> | top user limit=10</searchPostProcess>
</table>

Thank you kindly for your time.

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

That's definitely strange.

It sounds like you've already tried my first suggestion, which is to make sure that the base search has

| fields user * 

or some reference to the 'user' field in it? If the main search refers to the field then it'll be there and it'll be available for postprocess searches.

It's possible that in your view, required_field_list was being set in 4.0.X (possibly erroneously), and that was essentially allowing you to have the field unspecified in the base search. And when this was 'fixed' in 4.1.X that crutch stopped working. Just an educated guess though.

hth

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...