Splunk Search

Why am I able to return a list of fields with the fields command in a search, but not with the table command?

Communicator

Any ideas around this? When I use the fields command in this search:

some search | fields Activity1, Activity2...

I can see all the fields and the values on the left side, but if I change fields to the table command, then I don't see anything. All the fields appear as blank. Is there something I am missing here?

I appreciate any clues.

Thanks,
Raji.

Tags (2)
0 Karma

Communicator

Looks like I only have limited events populated with the values and rest blanks. and I was moving fast between sort asc/desc. Tried to run more specific queries with the where condition and saw some values populated. Thanks everyone for your comments and quick replies.

0 Karma

Motivator

Hi Iguinn
Know that fields command Keeps or removes fields from search results. while table command is a reporting command that Creates a table using only the field names specified.
When you write the search below you keep fields Activity1,Activity2.......

 some search | fields Activity1, Activity2...

therefore when you write this other search ,

 some search |table  Activity1, Activity2...

you should have a table with column where each column represent one field , all these fields containing the values.

first proposition
If you haven't the values with table command let go to the far page to see , because certains rows couldn.t have the values.
just verify another rows of your table

second proposition
Make sure that fields that you used with table command are present in the search before pipe.

0 Karma

Legend

What mode are you using to run your search? Fast, verbose and smart modes behave differently with regard to field extraction. Also, what tab are you looking at? The table command is a reporting command; the fields command is not - so the two commands will present results in different tabs.

0 Karma

Influencer

May be the fields doesn't have values for all the events.. To start with, after running the table command, click on any of the field header and it will sort the values and you might end up seeing some values.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!