Splunk Enterprise

Why search on sourcetype changed after migration?

kiwine
Observer
 
Hello everyone, 

 

We recently upgraded our Splunk Enterprise from 7.x to 8.1.7.2 and we noticed some changes when we search on sourcetype.

Some of our sourcetypes can contain different types of data.
Let's say we have data A stored in sourcetype SRCT with some fields corresponding to this type of data: field1_A, field2_A. And data B is also stored in sourcetype SRCT with its own fields: field1_B, field2_B.

If we do a simple search:   index=index sourcetype=SRCT field1_A=value1 | table *

  • In Splunk Enterprise 7.x, the table only shows the fields that concern data A, that is to say, field1_A, field2_A.
    field1_Afield2_A
    value1value2
  • Now, since the upgrade, the table shows all the fields from data A and data B, even if the data we are looking for is a data A. In this case, field1_B and field2_B are empty.
    field1_Afield2_Afield1_Bfield2_B
    value1value2  
  • BUT: if we do not specify sourcetype=SRCT in our search:     index=index field1_A=value1 | table *
    It only shows the fields field1_A and field2_A.
    field1_Afield2_A
    value1value2

It's as if, searching on sourcetype makes it retrieve all the fields that this sourcetype has encountered without discarding null fields.

The same can be noticed when we search on source.

 

Does anyone have seen this before?  What can explain this change of behavior?

Labels (3)
Tags (2)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

That sounds familiar, I'm not sure exactly what it was and which version of Splunk I was checking.

 

I would just use the table command in the search to avoid the issue.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...