Splunk Search

Splunk Bug "fields command"

wessam
Explorer

I am facing an issue with fields command as i am generating splunk queries below

.....)|fields - records2,records

and it working fine , however after automating this query on dashboard and running it several times , query is changed and became

.....)|fields-records2,records

Which gives an error because there is no spaces between characters !!
So did anyone face the same issue and could you please help me with a workarround or solution

Tags (2)

jplumsdaine22
Influencer

Support tell me this is fixed in 6.5.4

See SPL-140551 here: http://docs.splunk.com/Documentation/Splunk/6.5.4/ReleaseNotes/6.5.4

0 Karma

wessam
Explorer

Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

0 Karma

rmarcum
Explorer

I have successfully used my two suggestions above (i.e., "table" or put the code in a macro that contains the "fields -" command). Additionally, a real hack I sometimes use is a "focused" macro--e.g., FieldsMinus4 defined as:

    fields - $field1$, $field2$, $field3$, $field4$

Which I implement as:

    | makeresults | eval aField1=123 | eval aField2=456 | eval aField3=789 | `FieldsMinus4(aField1,a,b,c)`

This takes advantage of the fields command working whether or not the field(s) exist that are passed as arguments. Thus I populate the 4 arguments using a, b, c, to make sure all 4 are there. This works for me for the many cases where there are less than 5 fields I need to remove.

Regards.

0 Karma

jplumsdaine22
Influencer

We also see this with the sort command. Splunk 6.5.2

You can verify this on the file system from $SPLUNK_HOME/etc/

find ./users ./apps -type f -name '*.xml' -exec grep --color 'sort-|find-' {} +

I'm raising a support request for our users - I recommend you do the same

0 Karma

rmarcum
Explorer

I have been seeing this issue since we rolled out v6.5.x many weeks ago. I first encountered it when going in and out of the new Source edit feature, so I assume it has to do with recompilation of XML. I believe I see the same thing when I go into Source via "Views". I also see it in titles where I use a dash--e.g. "Title - More Title". Our admin has been unable to address the issue or provide a workaround. Basically, I have found no workaround other than not using "fields -", or using "table ...". This is the first time I have finally seen anyone mention such a HUGE issue on Splunk Answers...which has surprised me a bit. I use MSIE.

0 Karma

rjthibod
Champion

Can you share the XML for the dashboard?

Also, what version of Splunk and what browser are you using?

0 Karma

wessam
Explorer

Splunk Version 6.5.1 and i am using IE11

0 Karma

rjthibod
Champion

Can you share your XML for the dashboard?

0 Karma

rmarcum
Explorer

I have been seeing this issue since we rolled out v6.5.x many weeks ago. I first encountered it when going in and out of the new Source edit feature, so I assume it has to do with recompilation of XML. I believe I see the same thing when I go into Source via "Views". I also see it in titles where I use a dash--e.g. "Title - More Title". Our admin has been unable to address the issue or provide a workaround. Basically, I have found no workaround other than not using "fields -", or using "table ...". This is the first time I have finally seen anyone mention such a HUGE issue on Splunk Answers...which has surprised me a bit. I use MSIE.

DalJeanis
Legend

@rmarcum - please be sure to hit the "me-too" button if you want more eyes on the bug.

0 Karma

rmarcum
Explorer

BTW, another workaround I have for key code I do not want to change is to put it in a macro which seems to be immune to this issue. Again, I suspect "source".

0 Karma

wessam
Explorer

Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

0 Karma

wessam
Explorer
    <search>
      <query>..... |fields - records2,records</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Number of Tickets</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
0 Karma

rjthibod
Champion

Can you see what happens if you do the same thing in another browser (Chrome or FF)?

0 Karma

wessam
Explorer

the same issue happened
Is there any workaround for this bug instead of using fields - ?

index=xx |eval records='y'|stats values(records) as records list(y) as records2 by date_month|dedup records |eval records_after_dedup=mvcount(records), records_all=mvcount(records2)|fields - records2 records

as i would like to display graph which represents number of records after dedup and all records before dedup.

0 Karma

rjthibod
Champion

What do you mean when by "automating" this query? What exactly did you do that seems to have resulted in removing whitespace in the query?

0 Karma

wessam
Explorer

i mean that after the query in generated , i am just saving it into a dashboard and after opening this dashboard several times . whitespace in query is removed so that's weird as i have only saved the query

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...