Splunk Search

Table showing fields from excluded events after head

plapila
Explorer

Is this intended behavior?

After selecting only a single event with "head 1" fields from excluded events that occurred at the same time can be seen in a table when using wildcards in example "table _time,tags.* values.*"

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I needed to only get the fields that pertained to the particular event, but that involved quite a bit of other work

You can do something simple like

search bla
| transpose 0
| where isnotnull('row 1')
| transpose 0 header_field=column
| fields - column

If this is just about data investigation and looking for things.

Give us more on any use case where this is an issue and we can see if there is a way to solve it.

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

OK, I can see what you mean now.  And I can confirm with this emulation

 

| makeresults format=csv data="a,b,c,d
va,vb
,,vc,vd"
| head 1

 

abcd
vavb  

With little information from its official documentation, I can argue either way as to this is a feature or a bug.  But you must have a use case in mind.  How will head be used in your application, and what is your expected result?

0 Karma

plapila
Explorer

Screencaptures for clarification

Splunk_search_fields1.jpgSplunk_search_fields2.jpg

0 Karma

plapila
Explorer

Splunk_search_fields1.jpg

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to qualify your question with dataset (mockup or sanitized), SPL, and results.  I cannot reproduce what you described based on my mind-reading of your question.  But you must not rely on volunteers reading your mind. (It is never good to force people to read your mind.)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...