Why are the table command and dropping values?

jaxxsplunk · ‎02-16-2022

Summary:

When using the table command, values are dropped if { is the first character.

index=someindex host="VVV" source=somesource earliest=-24h action

NOT( ACTION ="SUMMARY" OR ACTION="RESULT")

| dedup ID

|rename ID as "Rcrds Prcssd To Date"

| rename EVENT_DT as "Date Time" EVENT as "API EVENT"

|convert ctime(_time) as RunDate timeformat="%m/%d/%Y %H:%M %p"

|table ID,RunDate,ACTION, "API EVENT"

|SORT -ID

When the "API EVENT" field has a { starting value, the remaining values are dropped.

If I replace

|table ID,RunDate,ACTION, "API EVENT"

with

|fields ID,RunDate,ACTION, "API EVENT"

I see the { and the remaining values for "API EVENT"

Why is the table comm, and dropping values?

isoutamo · ‎02-16-2022

Hi

this sounds like a bug. Please report it to splunk support.

r. Ismo

gcusello · ‎02-16-2022

Hi @jaxxsplunk,

only for your information, if you rename a field "| rename ID as "Rcrds Prcssd To Date"" the following " | sort -ID" doesn't run because the ID field isn't yet present!

Anyway, probably there's an error in "EVENT" field extraction.

We could help you, if you share a sample of your logs and the regex that you're using to extract the "EVENT" field to understand why sometimes your field extraction doesn't run.

The difference between table and fields is that table is a steaming command, instead fields is a non streming field, you can find a description of the command types at https://docs.splunk.com/Documentation/Splunk/8.2.4/Search/Typesofcommands

Ciao.

Giuseppe

Why are the table command and dropping values?

table

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?