https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463904#M130774 <P>But I face another issue: I have following a splunk query </P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"</P> <P>When I use top command</P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | top ip</P> <P>it shows well. But when using table command it shows again field with null.</P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | table _time ip</P> <P>I use Verbose mode and there are values in ip field. </P> Mon, 10 Feb 2020 11:24:14 GMT gagareg 2020-02-10T11:24:14Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463901#M130771 <P>why does Splunk display empty fields in the table even though there are values there</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8342i4BB9902FD29E40F5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sat, 08 Feb 2020 15:11:22 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463901#M130771 gagareg 2020-02-08T15:11:22Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463902#M130772 <P>Cells in a table tend to be empty because either 1) the field has no value in the event; or 2) the event has no field by that name.<BR /> Run the search in Verbose Mode then look in the Events tab to see if the fields are indeed present and have values. Pay close attention to the spelling and capitalization of field names as Splunk cares about both. "status" is not the same as "Status", for example.</P> <P>Pro tip: Add a default clause to your <CODE>case</CODE> functions to catch unexpected values. Something like <CODE>eval description = case(status==200, "OK", ..., 1==1, "unknown")</CODE>.</P> Sat, 08 Feb 2020 17:48:54 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463902#M130772 richgalloway 2020-02-08T17:48:54Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463903#M130773 <P>Yes, you're right about mode. I tried Verbose mode, and it works as expected. Thank you </P> Mon, 10 Feb 2020 09:45:10 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463903#M130773 gagareg 2020-02-10T09:45:10Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463904#M130774 <P>But I face another issue: I have following a splunk query </P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"</P> <P>When I use top command</P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | top ip</P> <P>it shows well. But when using table command it shows again field with null.</P> <P>source="maillog.log" host="mail_server" sourcetype="mail" | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | table _time ip</P> <P>I use Verbose mode and there are values in ip field. </P> Mon, 10 Feb 2020 11:24:14 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/463904#M130774 gagareg 2020-02-10T11:24:14Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/561975#M195447 <P>I'm also having this problem, already in verbose mode but I had to go into "XX more fields" to add these to my initial query.&nbsp; Am I better off attempting this as a dashboard or getting those fields automatically added to the search?&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P> Tue, 03 Aug 2021 22:36:11 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/561975#M195447 fgarvis0_36 2021-08-03T22:36:11Z https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/561978#M195449 <P>If you're having a similar problem, but this solution doesn't help then you have a different problem and should post a new question.</P> Wed, 04 Aug 2021 00:12:22 GMT https://community.splunk.com/t5/Splunk-Search/empty-fields-in-a-table/m-p/561978#M195449 richgalloway 2021-08-04T00:12:22Z