Splunk Search

getting results in verbose mode but not in smart or fast mode

ips_mandar
Builder

I have indexed file using INDEXED_EXTRACTION=csv in props.conf
when I search index=abc field_name=123 I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting extracted as expected but when I try

index=abc field_name=123|table field_name 

I only get results in Verbose mode and fast/smart mode gives no results. Then I tried using fields in search still same issue.

index=abc field_name=123|fields *|table field_name 

This will also give results in Verbose mode and fast/smart mode gives no results.
Kindly help on this to resolve issue .
Thanks,

0 Karma

ololdach
Builder

INDEXED_EXTRACTION is a field extraction done at index time. All fields are being extracted when the data is indexed and they are always available in the events. The Search Mode (Fast/Verbose/Smart) only affects what is displayed at search time. Just to clarify: I assume that with "results" you mean that when you switch to the Events tab of the search results, you see no fields when you turn/open the twistie on an event.
1. index=abc field_name=123|table field_name- All fields in the head of the search appear in the Events, regardless of the search level. Thus, in all levels you will see index and field_name, both being highlighted (yellow). Smart and verbose will show all fields extracted at index time
2. index=abc - In "fast" mode, you will only see index, but no additional fields will be shown.
3. index=abc fieldname=123|fields *|table field_name - Same as in 1

Please note: The fields command affects the internal representation of the result. fields - <name> will remove a field from the result. After fields - field_name expanding the Events will no longer show field_name. fields + * (equivalent to fields *) keeps all fields that ** already are in the result** in the result (It does nothing.) Hence the + is misleading. Adding a field that does not exist in your result ... | fields + newfield |... will in effect remove all fields and keep the non-existent. The field list will be empty after this.

0 Karma

gcusello
Legend

Hi ips_mandar,
I experienced this behaviour, in a past release there was also a bug so I had a different number of results between Modes!

Anyway, it's correct to have no results in Fast mode because you haven't any field for search.

It's not so clear in Smart Mode: did you tried to display results in Verbose mode, put field_name in interesting fields and then run the search again in Smart mode?

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...