Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure that your release is still under maintenance. Ciao. Giuseppe ... View more

I had the same problem, but I wasn't aware of "$trellis.value$"!  It solved my problem. Thanks! ... View more

@vxsplunk Did you ever find a solution for this issue? I am having the same issue currently and am unable to fix it. ... View more

Splunk will also auto discover fields that are mentioned in the search and it doesn't matter in which search mode you are, but that shouldn't be the problem because this 'ses' field will be used in the search (ses=1234567890). It will be a key-part of the search I ultimately trying to use. Some documentation about this (see the link I mentioned in the question and in you last comment http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/WhenSplunkEnterpriseaddsfields): When field discovery is enabled, Splunk software: - Identifies and extracts the first 50 fields that it finds in the event data that match obvious key=value pairs. This 50 field limit is a default that you can modify by editing the [kv] stanza in limits.conf, if you have Splunk Enterprise. - Extracts any field explicitly mentioned in the search that it might otherwise have found though automatic extraction, but is not among the first 50 fields identified. - Performs custom field extractions that you have defined, either through the Field Extractor, the Extracted Fields page in Settings, configuration file edits, or search commands such as rex. Is Splunk following this order as mentioned (top-down)? - Yes? Then I expect my example in the question to work - No? What order is followed? ... View more

Yes, look at this example: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/Chartcontrols#Chart_overlay_example_.28dual_axis.29 ... View more