Hi. We are trying to do some stats on the "component" field in the internal splunkd logs, but have encountered a strange problem, the stats command only works if we search in "Verbose Mode". If we switch to "Smart Mode" or "Fast Mode" the search gives no results.

This is our search: 

index=_internal sourcetype=splunkd component=* | stats count by component

This is the default regex in props.conf in the search app for the "component" field: 

(?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+)

I've tried running the regex manually with the rex command, so I know it works fine. Also, I tried running the stats command in the search app itself, to ensure that there is no permission errors, but the results are the same. The permission for the field extraction is set to read everyone and global anyway, so it should not matter. Also, since the extraction works in verbose mode, we know it actually works, as the component field would not be extracted by a normal key-value pair extraction. It has to be extracted by the regex.

Example of an internal log with the component field (being "Metrics" in this case):

10-19-2020 10:36:03.997 +0200 INFO  Metrics - group=thruput, name=uncooked_output, instantaneous_kbps=0, instantaneous_eps=0, average_kbps=0, total_k_processed=0, kb=0, ev=0

Also, if I search for only "index=_internal sourcetype=splunkd" in smart mode, the component field is extracted, but if I then click on the field in the UI and click e.g. "Top values", it gives no results again.

Can anyone explain this behaviour, and what may be the cause?