Archive
Highlighted

Verbose mode returns results as expect, but not Fast mode.

Contributor

We are having some odd search results. When the query is ran in Verbose mode all fields return as expected, however when the same query is ran in Smart or Fast mode only the default fields are returned and the two fields extracted at search time via the "| rex" command. Anyone run into this before?

EDIT
Query used:

(index=foo sourcetype=bar) OR (index=metrics sourcetype=stats
    [ search index=foo sourcetype=bar
    | mvexpand combine
    | rex field=combine (?<id>\d+)=(?<hits>\d+)
    | dedup id site
    | fields id site] earliest=-1y)
| fillnull combine
| mvexpand combine
| rex field=combine (?<id>\d+)=(?<hits>\d+)
| eventstats latest(ip) as IP latest(info_id) as Info_ID by id, site
| where isnotnull(hits)
| table _time hits id site IP Info_ID

When my search runs in Verbose mode I see all fields "time hits id site IP InfoID" However when I run it in Fast mode I am missing IP and Info_ID.

If I remove the "| table" section altogether and run it in fast mode the query runs and all interesting fields are populated on the left side of the events.

Tags (2)
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Splunk Employee
Splunk Employee

Your fields are still there, but may not be displayed under the "Interesting Fields" column. For instance, if you have a field named "foo" in your search results, but it doesn't show up under "Interesting Fields" due to being in Fast mode, you can still do a search like this:

index=main foo=*

Fast mode prioritizes the performance of the search and does not return nonessential field or event data. This means that the search returns what is essential and required.

Verbose mode returns all of the field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands.

Smart mode tries to make a determination based on your search (reporting vs. transforming vs. generating etc.)

More information can be found on search modes here -> https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode

0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Contributor

Thanks for your reply, however that doesn't do the trick. I should elaborate....the interesting fields DO in-fact populate in fast mode. But when I pipe the output to a table it does not properly show the statistics table.

0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

SplunkTrust
SplunkTrust

You should pass the fields command to make your fields show up under "Interested Fields" while in fast mode

index=... sourcetype=... | fields + foo
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Contributor

See updated original question. I've included the query.

0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Explorer

I added "|fields *" and it gave me the results i wanted.

Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Esteemed Legend

Try adding info_id=* ip=* to the appropriate place to force splunk to care about those fields early on, like this maybe:

(index=foo sourcetype=bar) OR (index=metrics sourcetype=stats info_id=* ip=*
     [ search index=foo sourcetype=bar
     | mvexpand combine
     | rex field=combine (?<id>\d+)=(?<hits>\d+)
     | dedup id site
     | fields id site] earliest=-1y)
 | fillnull combine
 | mvexpand combine
 | rex field=combine (?<id>\d+)=(?<hits>\d+)
 | eventstats latest(ip) as IP latest(info_id) as Info_ID by id, site
 | where isnotnull(hits)
 | table _time hits id site IP Info_ID
0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Contributor

Thanks, unfortunately this didn't do the trick.

0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Builder

Curious: Is any of your data summary-indexed?

0 Karma
Highlighted

Re: Verbose mode returns results as expect, but not Fast mode.

Contributor

The search is actually what is populating a summary index.

0 Karma