Dashboards & Visualizations

Field display problem converting views from 4.0 to 4.1.5?


Hi all,

I recently converted from 4.0.x to 4.1.5, and I found that all of my views broke. The searches still run, and state they have results, but not all the existing fields come through, so the data that is post-processed does not display properly.

Here is an example search for a person input into a form (if the field is not null):

index=my_index "searchstring" [ stats count | eval search=if("$Person$"=="NOTSPECIFIED"," ","user=$Person$ ") | fields - count ]

This used to search for a variable the user input in a form, and output the results with all fields intact. Now, only two or three of 40 some-odd resulting fields show up if I remove post process on the results. I've tried specifying all necessary fields in the search to no avail.

My search post processes are pretty basic, just "top" and "dedup" or specifying fields.

      <title>Top Users</title>
            <searchPostProcess> | top user limit=10</searchPostProcess>

Thank you kindly for your time.

Tags (1)
0 Karma


That's definitely strange.

It sounds like you've already tried my first suggestion, which is to make sure that the base search has

| fields user * 

or some reference to the 'user' field in it? If the main search refers to the field then it'll be there and it'll be available for postprocess searches.

It's possible that in your view, required_field_list was being set in 4.0.X (possibly erroneously), and that was essentially allowing you to have the field unspecified in the base search. And when this was 'fixed' in 4.1.X that crutch stopped working. Just an educated guess though.


0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...