I am completely stumped.
When I run the following search interactively, all of the columns are populated with data. But when I run it as a saved search and email the results inline, none of the numbered columns have any data. And the 'Total' column is missing entirely.
sourcetype="cloudfront_http" (tag::cdn_useragent=iphone OR tag::cdn_useragent=ipod) cdn_ext!=m3u8 | rangemap field=cdn_bandwidth k64=0-99 k110=100-199 k200=200-299 k400=400-499 k600=600-699 default=unknown | chart count over cdn_tpmid by range | rename cdn_tpmid as "tp_media_object_id" | join type=left tp_media_object_id [inputlookup cove_data_by_id.csv] | rename program_title as "Program", tp_media_object_id as "ID", title as "Title", duration_sec as "Length" | eval Length=round(Length/60,1) | eval 64k=round(k64/360,1) | eval 110k=round(k110/360,1) | eval 200k=round(k200/360,1) | eval 400k=round(k400/360,1) | eval 600k=round(k600/360,1) | table Program, ID, Title, Length, 64k, 110k, 200k, 400k, 600k | addtotals 64k 110k 200k 400k 600k | sort -Total
Is there a known issue with Splunk that would explain this strange behavior? (Am running 4.1.6 version)
Try to explicitly require the fields you use, using the fields
command:
sourcetype="cloudfront_http" ... | fields + cdn_bandwidth cdn_tpmid tp_media_object_id ... | ...
It could be a bug. However there is a known behavior difference. In the search view all fields are requested. In a scheduled environment, only the requested fields are generated from the data. it's possbile that there's some further wrinkle about the fields command needing to be at the right point in the pipeline, I don't fully undrestand your search at the moment. You may want to try the search in the 'advanced charting' view which should skip requesting all the fields and possibly allow you to debug.
Ok, so I have tried it with both a table command and the field command, but the outcome is the same. It works fine interactively, but comes up blank when run as a saved search.
Could this be a bug in Splunk?
No, you don't need to seperate the fields with a comma. Any whitespace characeter is sufficient.
Also, I notice that in your syntax you did not use commas to separate field names. I assume that was simply an oversight?
I had tried that previously, although I do not normally use the '+' character when specifying fields.