I've issue on 7.2.4.x where fields are not showing in the fast and smart mode , whereas works in verbose mode.I've explicitly declared the fields that i would like to display in fast and smart mode searches too . Fields are working fine in all modes in 7.0.x. All fields which are not displaying are calculated fields and field aliases. Please suggest how to handle this issue.
(index=yc_idx sourcetype="my_sourcetype" Field1=* Field2=* ) | stats count by Field1 ,Field2 index=yc_idx sourcetype="my_sourcetype" |fields + Field1 ,Field2| Stats values(Field1 ) as fld1 values(Field2) as fld2
FYI- If I declare the calculated field expression explicitly in search as eval field1 = expression it is working 7.2.4 in fast and smart modes but not as a calculated field or filed aliases.
@bowesmana - Please check if the transforms.conf field extractions are done on heavy forward level or the indexer on the server.
Not sure why this is working on 7.0.X and other versions prior to the 7.2.X.
Splunk claims this as a bug and suggest to follow the documentation steps with field alisas https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange
Interesting @mahesh423 on that alias change. My case was more simple in that it's standalone system. If your aliases are in props.conf, then it would seem to be a permissions or precedence issue somewhere.
Have you checked all your permission settings in local/default.meta?
Thanks for the reply. Yes the field aliases are not working , I have created the new field aliases with the ASNEW per documentation with splunk - https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange
after upgrading to the 7.2.5.x version still the problem persists.
Need to check the props.conf permissions and also precedence with the files and test only the fields that have currently the issue with.
I found that the even fields ( probably extracted fields from transforms.conf ) that are used for field alias are also unable to display values. digging back to see if these fields are extracted at heavy forwarder level.
Been looking at my config with a qualified Splunk architect - there appears to be no problem with my config, so it looks like in my case, there's some underlying permission problem, either at the OS level (Mac) or from some broken Splunk environment.
I've duplicated the config on another Splunk instance and it works - not sure if this helps you in any way...