Other Usage

Why does field not populate in report but does when running the search?

Gregski11
Contributor

We have a scheduled report that used to work, and now one of the six fields does not populate in the report, ie shows no values, however when we run the search just as a regular search all fields populate including that one

the field is called SystemUpTime

| eval SystemUpTime=tostring(SystemUpTime,"duration") | table host, SystemUpTime ]

Labels (1)
0 Karma

woodcock
Esteemed Legend

It is silly to post a problem with a search and not post the entire search (slightly redacted if necessary, which it usually is not).  Since you have given us almost nothing to go on, I will answer what can be said.  There are 2 main things that can be wrong with that line. EITHER the 'SystemUpTime' field does not exist at all before that line hits OR it is negative.  If it is the latter, you can fix like this:

| fieldformat SystemUpTime = if(SystemUpTime < 0, "-", "") . tostring(abs(SystemUpTime), "duration")

Like this:

 

| makeresults | eval _raw="
host SystemUpTime
foo  -1
bar  0
bat  1"
| multikv forceheader=1
| fieldformat SystemUpTime = if(SystemUpTime < 0, "-", "") . tostring(abs(SystemUpTime), "duration")
| table host, SystemUpTime

 

 
 

 

0 Karma

Gregski11
Contributor

you are right I am sorry, before I post the full query I just want to say that this report used to work and we made no changes to the query or to the report and just this one field out of six stopped populating 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Permissions difference?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...