https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240382#M71438 <P>Smart mode</P> Fri, 22 Jan 2016 06:57:57 GMT tenorway 2016-01-22T06:57:57Z https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240378#M71434 <P>Hi all!</P> <P>I am using the <CODE>transaction</CODE> command to group events based on an identifier occuring in separate indexes. Works nicely. The events shows up with all the information. In the left of the Splunk window, all expected fields from both indexes have values. </P> <P>However, when trying to display some of the fields using the <CODE>table</CODE> command, only the fields from one of the indexes have values. The others are empty. </P> <P>Piping the output from the <CODE>transaction</CODE> command through the <CODE>fields</CODE> command fixes the problem, but why is this happening?</P> <P>Doesn't work (Path is blank): </P> <PRE><CODE>index=* | rename correlationId as CID | transaction CID | table host, path </CODE></PRE> <P>Works (Both fields have values): </P> <PRE><CODE>index=* | rename correlationId as CID | transaction CID | fields * | table host,path </CODE></PRE> <P>Thanks for any assistance!</P> Thu, 21 Jan 2016 08:04:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240378#M71434 tenorway 2016-01-21T08:04:31Z https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240379#M71435 <P>Not sure why both searches are not returning the same results but for the sake of performance I would use the following anyway:</P> <PRE><CODE>index=* | rename correlationId as CID | fields host, path, CID | stats values(path) as path, values(host) as host by CID | table host, path </CODE></PRE> Thu, 21 Jan 2016 09:54:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240379#M71435 javiergn 2016-01-21T09:54:28Z https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240380#M71436 <P>Are your search results set to 'Fast Mode'? If so, Splunk will only extract the fields that it needs (like the default host, source, sourcetype, _time, etc) and the fields that you explicitly state in your search. If you want most or all fields extracted you will need to use either 'Smart Mode' or 'Verbose Mode'.</P> Thu, 21 Jan 2016 14:05:57 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240380#M71436 wpreston 2016-01-21T14:05:57Z https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240381#M71437 <P>Thanks for the reply. The path variable will not be present in all events. <BR /> The web will log the path, and the middleware will log other fields. <BR /> Will I then be able to display the whole "transaction" in one row using stats? </P> Fri, 22 Jan 2016 06:57:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240381#M71437 tenorway 2016-01-22T06:57:24Z https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240382#M71438 <P>Smart mode</P> Fri, 22 Jan 2016 06:57:57 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-field-values-lost-using-the-table-command-after-the/m-p/240382#M71438 tenorway 2016-01-22T06:57:57Z