Convert Fast Mode to Verbose Mode

rahul2gupta · ‎07-10-2020

When I am running the same query in verbose mode it is giving me results where as the same query in fast mode it is not giving me the results.

Please guide me how to change from fast mode to verbose mode in dashboard panel.

I tried with different solutions available on the solutions but it did not worked.

Please help.

Regards,

Rahul

gcusello · ‎07-10-2020

Hi @rahul2gupta ,

in Fast Mode, you cannot use fields in search (you can use only index time fields: index, sourcetype, host, source) and you're using the status field.

Panels automatically use the Smart Mode that's an intermediate mode to search using the needed fields but not al of them, in this way is faster than Verbose.

If you continue not having results in dashboard panels, try this:

run the main search in verbose mode,
flag status as intereding field.
run again your search in Smart Mode.

Now you should have results.

Ciao.

Giuseppe

rahul2gupta · ‎07-11-2020

Hi @gcusello ,

When you say flag status as interesting field ,what does it mean.

Can you please elaborate more.

Regards,

Rahul

gcusello · ‎07-12-2020

Hi @rahul2gupta ,

when you run a search, in the left site of the screen there are the lists of Selected Fields and Interesting Fields.

You should have "status" in the Interesting Field list.

Clicking on it, your have a popup and in the upper right of the popup there's "Selected Yes/Not", if you click on Yes, the field is added to Selected.

Then run again your full search (or the Dashboard's Panel) and see if it's working.

Ciao.

Giuseppe

rahul2gupta · ‎07-12-2020

Hi @gcusello ,

I tried but it did not worked.

Regards,

Rahul

gcusello · ‎07-12-2020

Hi @rahul2gupta,

is the displayed macro the one you displayed in the first image

index=symantec sourcetype=sep12:scan status=completed

or another one?

If you have another macro inside the displayed macro, please share both.

Ciao.

Giuseppe

rahul2gupta · ‎07-12-2020

Hi @gcusello ,

Please find the screen shot below.

Regards,

Rahul

gcusello · ‎07-12-2020

Hi @rahul2gupta,

As I said, please display your macro, if you have another macro inside the displayed macro, please share both.

Ciao.

Giuseppe

rahul2gupta · ‎07-13-2020

Hi @gcusello ,

The following query I used index=symantec sourcetype="sep12:scan" status=completed |fields * |stats count and it worked.

Thank you for your guidance.

Regards,

Rahul

gcusello · ‎07-13-2020

Hi @rahul2gupta,

good!

Ciao and next time.

Giuseppe

P.S.: Karma Points are appreciated 😉

isoutamo · ‎07-12-2020

You could expand macro with Shift + Ctrl + e on windows and Shift + Cmd + E on macOS. This helps you to see how Splunk expands it.

Convert Fast Mode to Verbose Mode

saved search

scheduled search

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Convert Fast Mode to Verbose Mode

saved search

scheduled search

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk