We recently upgraded our Splunk Enterprise from 7.x to 8.1.7.2 and we noticed some changes when we search on sourcetype.
Some of our sourcetypes can contain different types of data.
Let's say we have data A stored in sourcetype SRCT with some fields corresponding to this type of data: field1_A, field2_A. And data B is also stored in sourcetype SRCT with its own fields: field1_B, field2_B.
If we do a simple search: index=index sourcetype=SRCT field1_A=value1 | table *
field1_A | field2_A |
value1 | value2 |
field1_A | field2_A | field1_B | field2_B |
value1 | value2 |
field1_A | field2_A |
value1 | value2 |
It's as if, searching on sourcetype makes it retrieve all the fields that this sourcetype has encountered without discarding null fields.
The same can be noticed when we search on source.
Does anyone have seen this before? What can explain this change of behavior?
That sounds familiar, I'm not sure exactly what it was and which version of Splunk I was checking.
I would just use the table command in the search to avoid the issue.