Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field display problem converting views from 4.0 to 4.1.5?

Tisiphone_1
Explorer
‎09-30-2010 08:17 PM

Hi all,

I recently converted from 4.0.x to 4.1.5, and I found that all of my views broke. The searches still run, and state they have results, but not all the existing fields come through, so the data that is post-processed does not display properly.

Here is an example search for a person input into a form (if the field is not null):

index=my_index "searchstring" [ stats count | eval search=if("$Person$"=="NOTSPECIFIED"," ","user=$Person$ ") | fields - count ]

This used to search for a variable the user input in a form, and output the results with all fields intact. Now, only two or three of 40 some-odd resulting fields show up if I remove post process on the results. I've tried specifying all necessary fields in the search to no avail.

My search post processes are pretty basic, just "top" and "dedup" or specifying fields.

<table>
      <title>Top Users</title>
            <searchPostProcess> | top user limit=10</searchPostProcess>
</table>

Thank you kindly for your time.

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-01-2010 06:14 PM

That's definitely strange.

It sounds like you've already tried my first suggestion, which is to make sure that the base search has 

| fields user *

or some reference to the 'user' field in it? If the main search refers to the field then it'll be there and it'll be available for postprocess searches.

It's possible that in your view, required_field_list was being set in 4.0.X (possibly erroneously), and that was essentially allowing you to have the field unspecified in the base search. And when this was 'fixed' in 4.1.X that crutch stopped working. Just an educated guess though.

hth

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...