Hello everyone,    We recently upgraded our Splunk Enterprise from 7.x to 8.1.7.2 and we noticed some changes when we search on sourcetype. Some of our sourcetypes can contain different types of data. Let's say we have data A stored in sourcetype SRCT with some fields corresponding to this type of data: field1_A, field2_A. And data B is also stored in sourcetype SRCT with its own fields: field1_B, field2_B. If we do a simple search:   index=index sourcetype=SRCT field1_A=value1 | table * In Splunk Enterprise 7.x, the table only shows the fields that concern data A, that is to say, field1_A, field2_A. field1_A field2_A value1 value2 Now, since the upgrade, the table shows all the fields from data A and data B, even if the data we are looking for is a data A. In this case, field1_B and field2_B are empty. field1_A field2_A field1_B field2_B value1 value2     BUT: if we do not specify sourcetype=SRCT in our search:     index=index field1_A=value1 | table * It only shows the fields field1_A and field2_A. field1_A field2_A value1 value2 It's as if, searching on sourcetype makes it retrieve all the fields that this sourcetype has encountered without discarding null fields. The same can be noticed when we search on source.   Does anyone have seen this before?  What can explain this change of behavior? ... View more