Building for the Splunk Platform

What is the difference of results between verbose and fast mode?

Alaza
Explorer

Hello,

this is my query :

(index="uno") OR (index="secundo" earliest=-36mon)
|fields Closed_Date Incident_Number Description Up Overal IDno
|eval ID=coalesce(Incident_Number, IDno)

When the dashboard is loading, it is in Fast mode and don't show the good result.
The good result appears in Verbose mode.
Some fields of the index secundo are empty when the fast mode is used and filled in verbose mode.

I don't get it : with or without "fields" the result is the same, why ?
Thanks for your help.

Tags (3)

hongbo_miao
Path Finder

Add one more document found at https://docs.splunk.com/Splexicon:Searchmode

A setting that optimizes your search performance by controlling the amount or type of data that the search returns. Search mode has three settings: Fast, Verbose, and Smart.

  • Fast mode speeds up searches by limiting the types of data returned by the search.
  • Verbose mode returns as much event information as possible, at the expense of slower search performance.
  • Smart mode, the default setting, toggles search behavior based on whether your search contains transforming commands. For transforming searches, it behaves like Fast mode. For searches without transforming commands, it behaves like Verbose mode.
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Refer to the documentation on the different search modes
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode

Using the Fast mode
The Fast mode prioritizes the performance of the search and does not return nonessential field or event data. This means that the search returns what is essential and required.

  • Disables field discovery. Field discovery is the process Splunk software uses to extract fields aside from default fields such as host, source, and sourcetype. The Splunk software only returns information on default fields and fields that are required to fulfill your search. If you are searching on specific fields, those fields are extracted.
  • Only depicts search results as report result tables or visualizations when you run a reporting search. A reporting search is a search that includes transforming commands. Under the Fast mode you will see only event lists and event timelines for searches that do not include transforming commands.

Verbose
The Verbose mode returns all of the field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands.

  • Discovers all of the fields it can. This includes default fields, automatic search-time field extractions, and all user-defined index-time and search-time field extractions. Discovered fields are displayed in the left-hand fields sidebar in the Events results tab.
  • Returns an event list view of results and generates the search timeline. It also generates report tables and visualizations if your search includes reporting commands

Depending on how the fields you are interested in (Closed_Date Incident_Number Description Up Overal IDno) are determined/extracted, they may or may not be present in fast mode.

If you use smart mode, you should get a good balance of speed and the fields you need.

Alaza
Explorer

Thanks for the return but I know this documentation.
What I don't know is why the search inside the dashboard is in fast mode ?
And how can I run the the search inside the dashboard in verbose mode.

I mentionned the fields needed with the command "fields" but it doesn't change anything.

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Does the following return the expected results in your dashboard?

(index="uno") OR (index="secundo" earliest=-36mon) | fields *
 |eval ID=coalesce(Incident_Number, IDno)
 |fields Closed_Date Incident_Number Description Up Overal IDno
0 Karma

Alaza
Explorer

Unfortunatly, the result is the same.

0 Karma

Alaza
Explorer

Is it possible to forced the dashboard in verbose mode ?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...