Splunk Search

Missing columns when run as scheduled/saved search

Path Finder

I am completely stumped.

When I run the following search interactively, all of the columns are populated with data. But when I run it as a saved search and email the results inline, none of the numbered columns have any data. And the 'Total' column is missing entirely.

sourcetype="cloudfront_http" (tag::cdn_useragent=iphone OR tag::cdn_useragent=ipod) cdn_ext!=m3u8 | rangemap field=cdn_bandwidth k64=0-99 k110=100-199 k200=200-299 k400=400-499 k600=600-699 default=unknown | chart count over cdn_tpmid by range | rename cdn_tpmid as "tp_media_object_id" | join type=left tp_media_object_id [inputlookup cove_data_by_id.csv] |  rename program_title as "Program", tp_media_object_id as "ID", title as "Title", duration_sec as "Length" | eval Length=round(Length/60,1) | eval 64k=round(k64/360,1) | eval 110k=round(k110/360,1) | eval 200k=round(k200/360,1) | eval 400k=round(k400/360,1) | eval 600k=round(k600/360,1) | table Program, ID, Title, Length, 64k, 110k, 200k, 400k, 600k | addtotals 64k 110k 200k 400k 600k | sort -Total

Is there a known issue with Splunk that would explain this strange behavior? (Am running 4.1.6 version)

Influencer

Try to explicitly require the fields you use, using the fields command:

sourcetype="cloudfront_http" ... | fields + cdn_bandwidth cdn_tpmid tp_media_object_id ... | ...

Splunk Employee
Splunk Employee

It could be a bug. However there is a known behavior difference. In the search view all fields are requested. In a scheduled environment, only the requested fields are generated from the data. it's possbile that there's some further wrinkle about the fields command needing to be at the right point in the pipeline, I don't fully undrestand your search at the moment. You may want to try the search in the 'advanced charting' view which should skip requesting all the fields and possibly allow you to debug.

0 Karma

Path Finder

Ok, so I have tried it with both a table command and the field command, but the outcome is the same. It works fine interactively, but comes up blank when run as a saved search.

Could this be a bug in Splunk?

0 Karma

Influencer

No, you don't need to seperate the fields with a comma. Any whitespace characeter is sufficient.

0 Karma

Path Finder

Also, I notice that in your syntax you did not use commas to separate field names. I assume that was simply an oversight?

0 Karma

Path Finder

I had tried that previously, although I do not normally use the '+' character when specifying fields.

0 Karma