Field display problem converting views from 4.0 to...

Tisiphone_1 · ‎09-30-2010

Hi all,

I recently converted from 4.0.x to 4.1.5, and I found that all of my views broke. The searches still run, and state they have results, but not all the existing fields come through, so the data that is post-processed does not display properly.

Here is an example search for a person input into a form (if the field is not null):

index=my_index "searchstring" [ stats count | eval search=if("$Person$"=="NOTSPECIFIED"," ","user=$Person$ ") | fields - count ]

This used to search for a variable the user input in a form, and output the results with all fields intact. Now, only two or three of 40 some-odd resulting fields show up if I remove post process on the results. I've tried specifying all necessary fields in the search to no avail.

My search post processes are pretty basic, just "top" and "dedup" or specifying fields.

<table>
      <title>Top Users</title>
            <searchPostProcess> | top user limit=10</searchPostProcess>
</table>

Thank you kindly for your time.

sideview · ‎10-01-2010

That's definitely strange.

It sounds like you've already tried my first suggestion, which is to make sure that the base search has

| fields user *

or some reference to the 'user' field in it? If the main search refers to the field then it'll be there and it'll be available for postprocess searches.

It's possible that in your view, required_field_list was being set in 4.0.X (possibly erroneously), and that was essentially allowing you to have the field unspecified in the base search. And when this was 'fixed' in 4.1.X that crutch stopped working. Just an educated guess though.

hth

Field display problem converting views from 4.0 to 4.1.5?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!