Hello
While testing my workflow actions, I've noticed a really weird thing happening
When a field has the word "all" in its name, the interesting fields are not shown on the event automatically. (see the image in the spoiler tag for a better understanding)
So to use the workflow action that I have for that field I need to manually add it by selecting the field in the "All Fields" option.
Does anyone knows why this is happening?
Is it expected?
Is there any configuration I am missing?
Thanks
"Verbose Mode" doesn't work as well 😢
As you can see in the image, even changing the field name doesn't help.
I'm guessing it's something related to reserved words.
Changing from " all " to " All " works
I believe this is a bug in splunk
I noticed that I'm getting the following error message in my console when expanding events that are not showing the fields. This error doesn't happen when expanding the other events.
Those are the JSON I'm using for this test
1)
{
"Show all actions": true
}
2)
{
"Show All actions": true
}
My console shows the error when expanding the event 1, but it doesn't when expanding the event 2. The only different between the events is the letter "a" in the word all (which is uppercase in the event 2).
I'm using Splunk Enterprise 8.0.4
To reproduce this problem I created a HEC, and sent the JSON bellow to the HEC
{
"time": 1592251280.000,
"host": "localhost",
"source": "test.json",
"index": "all_problem",
"sourcetype": "_json",
"event": {
"Show all actions": true
}
}
{
"time": 1592251275.000,
"host": "localhost",
"source": "test.json",
"index": "all_problem",
"sourcetype": "_json",
"event": {
"Show All actions": true
}
}
Search result:
The _raw looks exactly the same. In the JSON the field is also "a all a".
When I change it to "a any a" the fields are there (see the image)
Is there any log for the extraction routine so I can look for errors there?
