Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

I have successfully used my two suggestions above (i.e., "table" or put the code in a macro that contains the "fields -" command). Additionally, a real hack I sometimes use is a "focused" macro--e.g., FieldsMinus4 defined as:

    fields - $field1$, $field2$, $field3$, $field4$

Which I implement as:

    | makeresults | eval aField1=123 | eval aField2=456 | eval aField3=789 | `FieldsMinus4(aField1,a,b,c)`

This takes advantage of the fields command working whether or not the field(s) exist that are passed as arguments. Thus I populate the 4 arguments using a, b, c, to make sure all 4 are there. This works for me for the many cases where there are less than 5 fields I need to remove.

Regards.

Splunk Version 6.5.1 and i am using IE11

Can you share your XML for the dashboard?

I have been seeing this issue since we rolled out v6.5.x many weeks ago. I first encountered it when going in and out of the new Source edit feature, so I assume it has to do with recompilation of XML. I believe I see the same thing when I go into Source via "Views". I also see it in titles where I use a dash--e.g. "Title - More Title". Our admin has been unable to address the issue or provide a workaround. Basically, I have found no workaround other than not using "fields -", or using "table ...". This is the first time I have finally seen anyone mention such a HUGE issue on Splunk Answers...which has surprised me a bit. I use MSIE.

@rmarcum - please be sure to hit the "me-too" button if you want more eyes on the bug.

BTW, another workaround I have for key code I do not want to change is to put it in a macro which seems to be immune to this issue. Again, I suspect "source".

Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

    <search>
      <query>..... |fields - records2,records</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Number of Tickets</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>

Can you see what happens if you do the same thing in another browser (Chrome or FF)?

the same issue happened
Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

i mean that after the query in generated , i am just saving it into a dashboard and after opening this dashboard several times . whitespace in query is removed so that's weird as i have only saved the query