Search in fast vs smart modes does not return same...

tomasmoser · ‎12-05-2019

We ran into a problem where a search in smart mode returns 6 events, while the same search in fast mode returns 2 events even if we enrich search in fast mode with some more fields we want to extract on top fields extracted by default. No effect. Searches are very simple – no transforming commands at the end.

We found out that in fast mode if we add

“| fields *”

it automagically returns all 6 events we expected. These searches run in dashboards/reports – so by default in FAST. What does adding |fields * have to do with the search? Isn’t it the same as Smart/Verbose after that? Does not make sense to me.

I read the docs detailing difference between fast vs. smart.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Changethesearchmode

Still I do not get it.

BTW: The additional fields in events we want to see in FAST are extracted using EXTACT and REPORT sin props.conf + corresponding stanzas in transforms.conf.

Why is this happening?

Tomas

woodcock · ‎12-05-2019

Adding fields * is a clever way to FORCE splunk to run in Smart Mode even when Fast Mode is selected. It should be that both Dashbaords and Scheduled Searches run in Smart Mode. If you are sure that this is not the case for you, then DEFINITELY open a support case. You need to tell Splunk more about the fields that are creating/referencing by adding INDEXED and or INDEXED_VALUE settings in fields.conf (it is a tricky thing):
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf

tomasmoser · ‎12-05-2019

It looks that default search mode for Splunk dashboards is FAST. I am finding contradictory answers to this question - some says FAST some says SMART. We seem to be running in FAST mode in dashboards and then do not get any results. In SMART wet get all events.

See my answer above. It looks like REPORT- stanza does not work in FAST mode while EXTRACT- does work. Weird.

woodcock · ‎12-05-2019

There should be no functional difference between REPORT- and EXTRACT- other than the order in which the 2 are done. Definitely open a support case.

tomasmoser · ‎12-05-2019

We found a problem but we do not understand why it's happening.

There were some fields defined via EXTRACT- stanza and some fields defined via REPORT- stanza using transforms.conf. In FAST mode only fields using EXTRACT were really extracted when we enforced extraction in SPL using field=. So far so good. However, those fields defined via REPORT- stanza were not extracted when enforced with field= in SPL.

When we switched from REPORT- EXTRACT- it started working as expected.

This does not make sense! What should we do if we wanted some more complex transformations via REPORT in FAST mode as this one is defualt for all dashboards ???

gcusello · ‎12-05-2019

Hi @tomasmoser,
the problem is that in Fast Mode you can use only the basic fields (index, sourcetype, source, host), you cannot use other fields.
For more details see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Changethesearchmode

Ciao.
Giuseppe

tomasmoser · ‎12-05-2019

That is not true. See my answer above.

tomasmoser · ‎12-05-2019

One important fact. We are extracting fields using following "special" hack

[(?::){0}k8s*]
EXTRACT-uno_fields = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\s+(?P<severity>\w+)\s+(?P<logger>[^\s]+)\s+(?:(?P<th
readId>[^\s]+)?\s+)?\[(?P<thread>[^\]]+)\]\s+-\s+(?P<message>.*)
REPORT-uno_thread_fields = uno_thread_fields

EVAL-severity = if(isnotnull(severity), severity, "n/a")
EVAL-traceId = if(isnotnull(traceId), traceId, "n/a")
EVAL-parentId = if(isnotnull(parentId), parentId, "n/a")
EVAL-spanId = if(isnotnull(spanId), spanId, "n/a")
EVAL-logger = if(isnotnull(logger), logger, "n/a")

# temporarily for backward compatibility
FIELDALIAS-uno_logLevel = severity as uno_logLevel
FIELDALIAS-uno_logger = logger as uno_logger
FIELDALIAS-uno_thread = thread as uno_thread
FIELDALIAS-uno_message = message as uno_message
FIELDALIAS-uno_time = _time as uno_time

woodcock · ‎12-05-2019

The sourcetype-wildcard-hack is fine and should have nothing to do with this.

gcusello · ‎12-05-2019

do you use one of these fields as a filter in your search?

Ciao.
Giuseppe

tomasmoser · ‎12-05-2019

Yes, we use simple searches like

`index=blabla sourcetype=blabla`.

This does not work.

But if I explicitely add a filter with another field to be extracted it DOES NOT work too.

index=blabla sourcetype=blabla spanId=*

Then if I add | fields * it immediately starts working.

index=blabla sourcetype=blabla spanId=*
| fields *

gcusello · ‎12-05-2019

Hi @tomasmoser,
this was a bug in version 6.2, that was solved in the following releases!

Only one question: what's the time period of your search?
Please try non using earlies=now, in other words: use an old time period as yesterday or last hour and check if you have the same error.
At the same time the hint of @kamlesh_vaghela ·is fully correct: use only the fields you need!

If you continue to have the problem, open a ticket to Splunk Support: This helps all the Splunk users!

Ciao.
Giuseppe

Sukisen1981 · ‎12-05-2019

adding to what @gcusello says, I can confirm that he is correct. I am using the same code in 7.x vs 6.x.
I started to notice that if i ran the search in verbose mode (6.x) it was returning 1-2 events more thatn my dashboard results, now when i go to 7.x(at least for this particular instance) there is no difference.
This was a big bug in my opinion, since users would not even know that they are missing events in a dashboard but looks to have been fixed now

kamlesh_vaghela · ‎12-05-2019

@tomasmoser

I will not suggest | fields * but you can use | fields by mentioning required fields.
Like, YOUR_SEARCH | fields F1 F2 F3 etc

tomasmoser · ‎12-05-2019

We tried that. Does not work. Only "|fields *" works.

Search in fast vs smart modes does not return same number of events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life