Re: Fields not displaying in Fast and Smart modes ...

mahesh423 · ‎09-16-2019

I've issue on 7.2.4.x where fields are not showing in the fast and smart mode , whereas works in verbose mode.I've explicitly declared the fields that i would like to display in fast and smart mode searches too . Fields are working fine in all modes in 7.0.x. All fields which are not displaying are calculated fields and field aliases. Please suggest how to handle this issue.

(index=yc_idx  sourcetype="my_sourcetype" Field1=* Field2=* ) |
stats count by Field1 ,Field2
index=yc_idx  sourcetype="my_sourcetype" |fields + Field1 ,Field2|
Stats values(Field1 ) as fld1 values(Field2) as fld2

FYI- If I declare the calculated field expression explicitly in search as eval field1 = expression it is working 7.2.4 in fast and smart modes but not as a calculated field or filed aliases.

bowesmana · ‎09-23-2019

I have a similar problem with extracted fields from transforms.conf. I'm on 7.2.6 - not sure what the problem is yet...

mahesh423 · ‎09-24-2019

@bowesmana - Please check if the transforms.conf field extractions are done on heavy forward level or the indexer on the server.
Not sure why this is working on 7.0.X and other versions prior to the 7.2.X.

Splunk claims this as a bug and suggest to follow the documentation steps with field alisas https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange

bowesmana · ‎09-24-2019

Interesting @mahesh423 on that alias change. My case was more simple in that it's standalone system. If your aliases are in props.conf, then it would seem to be a permissions or precedence issue somewhere.

Have you checked all your permission settings in local/default.meta?

mahesh423 · ‎10-06-2019

@bowesmana - I've checked all the local/default.meta permissions and looks good . Perhaps my field alias are depending on an external app and sharing the permissions globally.

mahesh423 · ‎09-24-2019

Thanks @bowesmana and @abowesman for the replies

mahesh423 · ‎09-24-2019

Thanks for the reply. Yes the field aliases are not working , I have created the new field aliases with the ASNEW per documentation with splunk - https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange
after upgrading to the 7.2.5.x version still the problem persists.

Need to check the props.conf permissions and also precedence with the files and test only the fields that have currently the issue with.
I found that the even fields ( probably extracted fields from transforms.conf ) that are used for field alias are also unable to display values. digging back to see if these fields are extracted at heavy forwarder level.

abowesman · ‎09-23-2019

Been looking at my config with a qualified Splunk architect - there appears to be no problem with my config, so it looks like in my case, there's some underlying permission problem, either at the OS level (Mac) or from some broken Splunk environment.

I've duplicated the config on another Splunk instance and it works - not sure if this helps you in any way...

bowesmana · ‎09-23-2019

Just upgraded to 7.3.11 - problem persists

Fields not displaying in Fast and Smart modes Splunk enterprise 7.2.4

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!