Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field missing in statistical table only, while present (with values) in search

altink
Builder
‎02-14-2019 08:52 AM

Dear all,

I have a dashboard table that does not display certain fields, which do have data - although not in every row - for the period searched.

The fields missing in the dashboard table are "group" and "rule".
when clicking the dashboard loop button - search in a new form - they do appear

Splunk version is 6.4.4.

the code is below:

<form>
  <label>Cisco FW Change 02</label>
  <search id="mc_unf_base">
    <query>index=net_firewall sourcetype=cisco:asa vendor_class=config user="*" command="*"</query>
    <earliest>$field_time.earliest$</earliest>
    <latest>$field_time.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field_time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="mc_unf_base">
          <query>| table _time, host, user, src, group, rule, severity_level, command, change_description     
                 | rename host AS Firewall, user as User, src as "Client IP", severity_level as Severity</query>
        </search>
        <option name="wrap">false</option>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">16</option>
      </table>
    </panel>
  </row>
</form>

best regards
Altin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 10:56 AM

Whenever you use a base search, you need to explicitly specify all fields that you need for later searches. So change your base search to this:

index=net_firewall sourcetype=cisco:asa vendor_class=config user="*" command="*"| fields _time, host, user, src, group, rule, severity_level, command, change_description

Secondly, using a base search without a summarising command is not ideal.

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 10:56 AM

Whenever you use a base search, you need to explicitly specify all fields that you need for later searches. So change your base search to this:

index=net_firewall sourcetype=cisco:asa vendor_class=config user="*" command="*"| fields _time, host, user, src, group, rule, severity_level, command, change_description

Secondly, using a base search without a summarising command is not ideal.

Reply
Solved! Jump to solution

altink
Builder
‎02-15-2019 08:19 AM

thank you very much @chrisyoungerjds

best regards
Altin

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-14-2019 09:20 AM

Are you seeing them when you run your search in search window? Also, if there are more than 10 results, they would appear in the next page. hope you have checked that in the table results.

index=net_firewall sourcetype=cisco:asa vendor_class=config user="" command="" |fillnull value="N/A" group, rule | stats count by group, rule

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎02-15-2019 02:56 AM

thank you,

but it is not a matter of pages. I do see them in search, but not in the statistical (dashboard) table

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...