https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499587#M195030 <P><CODE>INDEXED_EXTRACTION</CODE> is a field extraction done at <EM>index</EM> time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is <STRONG>displayed</STRONG> at <EM>search</EM> time. Just to clarify: I assume that with "results" you mean that when you switch to the <EM>Events</EM> tab of the search results, you see no fields when you turn/open the twistie on an event.<BR /> 1. <CODE>index=abc field_name=123|table field_name</CODE>- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time<BR /> 2. <CODE>index=abc</CODE> - In "fast" mode, you will only see index, but no additional fields will be shown.<BR /> 3. <CODE>index=abc fieldname=123|fields *|table field_name</CODE> - Same as in 1</P> <P>Please note: The fields command affects the internal representation of the result. <CODE>fields - &lt;name&gt;</CODE> will remove a field from the result. After <CODE>fields - field_name</CODE> expanding the Events will no longer show field_name. <CODE>fields + *</CODE> (equivalent to <CODE>fields *</CODE>) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the <CODE>+</CODE> is misleading. Adding a field that does not exist in your result <CODE>... | fields + newfield |...</CODE> will in effect remove all fields and keep the non-existent. The field list will be empty after this. </P> Wed, 30 Sep 2020 02:30:25 GMT ololdach 2020-09-30T02:30:25Z https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499585#M195028 <P>I have indexed file using <CODE>INDEXED_EXTRACTION=csv</CODE> in props.conf<BR /> when I search <CODE>index=abc field_name=123</CODE> I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting extracted as expected but when I try </P> <PRE><CODE>index=abc field_name=123|table field_name </CODE></PRE> <P>I only get results in Verbose mode and fast/smart mode gives no results. Then I tried using fields in search still same issue.</P> <PRE><CODE>index=abc field_name=123|fields *|table field_name </CODE></PRE> <P>This will also give results in Verbose mode and fast/smart mode gives no results. <BR /> Kindly help on this to resolve issue .<BR /> Thanks,</P> Wed, 09 Oct 2019 11:35:28 GMT https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499585#M195028 ips_mandar 2019-10-09T11:35:28Z https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499586#M195029 <P>Hi ips_mandar,<BR /> I experienced this behaviour, in a past release there was also a bug so I had a different number of results between Modes!</P> <P>Anyway, it's correct to have no results in Fast mode because you haven't any field for search.</P> <P>It's not so clear in Smart Mode: did you tried to display results in Verbose mode, put field_name in interesting fields and then run the search again in Smart mode?</P> <P>Bye.<BR /> Giuseppe</P> Wed, 09 Oct 2019 12:28:07 GMT https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499586#M195029 gcusello 2019-10-09T12:28:07Z https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499587#M195030 <P><CODE>INDEXED_EXTRACTION</CODE> is a field extraction done at <EM>index</EM> time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is <STRONG>displayed</STRONG> at <EM>search</EM> time. Just to clarify: I assume that with "results" you mean that when you switch to the <EM>Events</EM> tab of the search results, you see no fields when you turn/open the twistie on an event.<BR /> 1. <CODE>index=abc field_name=123|table field_name</CODE>- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time<BR /> 2. <CODE>index=abc</CODE> - In "fast" mode, you will only see index, but no additional fields will be shown.<BR /> 3. <CODE>index=abc fieldname=123|fields *|table field_name</CODE> - Same as in 1</P> <P>Please note: The fields command affects the internal representation of the result. <CODE>fields - &lt;name&gt;</CODE> will remove a field from the result. After <CODE>fields - field_name</CODE> expanding the Events will no longer show field_name. <CODE>fields + *</CODE> (equivalent to <CODE>fields *</CODE>) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the <CODE>+</CODE> is misleading. Adding a field that does not exist in your result <CODE>... | fields + newfield |...</CODE> will in effect remove all fields and keep the non-existent. The field list will be empty after this. </P> Wed, 30 Sep 2020 02:30:25 GMT https://community.splunk.com/t5/Splunk-Search/getting-results-in-verbose-mode-but-not-in-smart-or-fast-mode/m-p/499587#M195030 ololdach 2020-09-30T02:30:25Z