topic Re: Splunk Bug "fields command" in Splunk Search

Splunk Bug "fields command"

wessam — Wed, 14 Jun 2017 11:53:06 GMT

I am facing an issue with fields command as i am generating splunk queries below

.....)|fields - records2,records

and it working fine , however after automating this query on dashboard and running it several times , query is changed and became

.....)|fields-records2,records

Which gives an error because there is no spaces between characters !!
So did anyone face the same issue and could you please help me with a workarround or solution

Re: Splunk Bug "fields command"

rjthibod — Wed, 14 Jun 2017 12:42:56 GMT

What do you mean when by "automating" this query? What exactly did you do that seems to have resulted in removing whitespace in the query?

Re: Splunk Bug "fields command"

wessam — Wed, 14 Jun 2017 12:49:29 GMT

i mean that after the query in generated , i am just saving it into a dashboard and after opening this dashboard several times . whitespace in query is removed so that's weird as i have only saved the query

Re: Splunk Bug "fields command"

rjthibod — Wed, 14 Jun 2017 13:15:17 GMT

Can you share the XML for the dashboard?

Also, what version of Splunk and what browser are you using?

Re: Splunk Bug "fields command"

wessam — Wed, 14 Jun 2017 14:23:30 GMT

Splunk Version 6.5.1 and i am using IE11

Re: Splunk Bug "fields command"

rjthibod — Wed, 14 Jun 2017 14:27:36 GMT

Can you share your XML for the dashboard?

Re: Splunk Bug "fields command"

wessam — Wed, 14 Jun 2017 14:32:33 GMT

    <search>
      <query>..... |fields - records2,records</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Number of Tickets</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>

Re: Splunk Bug "fields command"

rjthibod — Wed, 14 Jun 2017 14:36:02 GMT

Can you see what happens if you do the same thing in another browser (Chrome or FF)?

Re: Splunk Bug "fields command"

rmarcum — Wed, 14 Jun 2017 14:47:30 GMT

I have been seeing this issue since we rolled out v6.5.x many weeks ago. I first encountered it when going in and out of the new Source edit feature, so I assume it has to do with recompilation of XML. I believe I see the same thing when I go into Source via "Views". I also see it in titles where I use a dash--e.g. "Title - More Title". Our admin has been unable to address the issue or provide a workaround. Basically, I have found no workaround other than not using "fields -", or using "table ...". This is the first time I have finally seen anyone mention such a HUGE issue on Splunk Answers...which has surprised me a bit. I use MSIE.

Re: Splunk Bug "fields command"

rmarcum — Wed, 14 Jun 2017 14:53:50 GMT

Re: Splunk Bug "fields command"

rmarcum — Wed, 14 Jun 2017 15:10:32 GMT

BTW, another workaround I have for key code I do not want to change is to put it in a macro which seems to be immune to this issue. Again, I suspect "source".

Re: Splunk Bug "fields command"

DalJeanis — Wed, 14 Jun 2017 15:38:22 GMT

@rmarcum - please be sure to hit the "me-too" button if you want more eyes on the bug.

Re: Splunk Bug "fields command"

jplumsdaine22 — Thu, 15 Jun 2017 15:10:12 GMT

We also see this with the sort command. Splunk 6.5.2

You can verify this on the file system from $SPLUNK_HOME/etc/

find ./users ./apps -type f -name '*.xml' -exec grep --color 'sort-|find-' {} +

I'm raising a support request for our users - I recommend you do the same

Re: Splunk Bug "fields command"

jplumsdaine22 — Fri, 16 Jun 2017 13:52:56 GMT

Support tell me this is fixed in 6.5.4

See SPL-140551 here: http://docs.splunk.com/Documentation/Splunk/6.5.4/ReleaseNotes/6.5.4

Re: Splunk Bug "fields command"

wessam — Tue, 29 Sep 2020 14:40:10 GMT

the same issue happened
Is there any workaround for this bug instead of using fields - ?

as i would like to display graph which represents number of records after dedup and all records before dedup.

Re: Splunk Bug "fields command"

wessam — Tue, 29 Sep 2020 14:40:13 GMT

Is there any workaround for this bug instead of using fields - ?

as i would like to display graph which represents number of records after dedup and all records before dedup.

Re: Splunk Bug "fields command"

wessam — Tue, 29 Sep 2020 14:40:15 GMT

Is there any workaround for this bug instead of using fields - ?

as i would like to display graph which represents number of records after dedup and all records before dedup.

Re: Splunk Bug "fields command"

rmarcum — Wed, 28 Jun 2017 16:30:02 GMT

I have successfully used my two suggestions above (i.e., "table" or put the code in a macro that contains the "fields -" command). Additionally, a real hack I sometimes use is a "focused" macro--e.g., FieldsMinus4 defined as:

    fields - $field1$, $field2$, $field3$, $field4$

Which I implement as:

    | makeresults | eval aField1=123 | eval aField2=456 | eval aField3=789 | `FieldsMinus4(aField1,a,b,c)`

This takes advantage of the fields command working whether or not the field(s) exist that are passed as arguments. Thus I populate the 4 arguments using a, b, c, to make sure all 4 are there. This works for me for the many cases where there are less than 5 fields I need to remove.

Regards.