Hi
Thanks for the help.
@chanfoli: No, changing the search to verbose mode does not help - the results are the same. Adding FIELDNAME=* does not help either. This is because the search, whether in verbose or smart mode, does not extract the fields in the first place.
@esix_splunk: Perhaps - some of the sourcetypes are CSV files, perhaps its associated to a built-in CSV sourcetype. Could this be the case? I don't believe I have any TAs installed on my Splunk installation.
I believe that the following issue is related to this matter.
When I perform this search
(sourcetype="wa_messages" OR sourcetype="sms")
I get 42 fields. However, if I add one more sourcetype to this search, I get less fields (34 of them). This is causing issues with finding relevant data. Is there any way to solve this?
thanks
... View more