Splunk Search

getting results in verbose mode but not in smart or fast mode


I have indexed file using INDEXED_EXTRACTION=csv in props.conf
when I search index=abc field_name=123 I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting extracted as expected but when I try

index=abc field_name=123|table field_name 

I only get results in Verbose mode and fast/smart mode gives no results. Then I tried using fields in search still same issue.

index=abc field_name=123|fields *|table field_name 

This will also give results in Verbose mode and fast/smart mode gives no results.
Kindly help on this to resolve issue .

0 Karma


INDEXED_EXTRACTION is a field extraction done at index time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is displayed at search time. Just to clarify: I assume that with "results" you mean that when you switch to the Events tab of the search results, you see no fields when you turn/open the twistie on an event.
1. index=abc field_name=123|table field_name- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time
2. index=abc - In "fast" mode, you will only see index, but no additional fields will be shown.
3. index=abc fieldname=123|fields *|table field_name - Same as in 1

Please note: The fields command affects the internal representation of the result. fields - <name> will remove a field from the result. After fields - field_name expanding the Events will no longer show field_name. fields + * (equivalent to fields *) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the + is misleading. Adding a field that does not exist in your result ... | fields + newfield |... will in effect remove all fields and keep the non-existent. The field list will be empty after this.

0 Karma


Hi ips_mandar,
I experienced this behaviour, in a past release there was also a bug so I had a different number of results between Modes!

Anyway, it's correct to have no results in Fast mode because you haven't any field for search.

It's not so clear in Smart Mode: did you tried to display results in Verbose mode, put field_name in interesting fields and then run the search again in Smart mode?


0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...