this is my query :
(index="uno") OR (index="secundo" earliest=-36mon) |fields Closed_Date Incident_Number Description Up Overal IDno |eval ID=coalesce(Incident_Number, IDno)
When the dashboard is loading, it is in Fast mode and don't show the good result.
The good result appears in Verbose mode.
Some fields of the index secundo are empty when the fast mode is used and filled in verbose mode.
I don't get it : with or without "fields" the result is the same, why ?
Thanks for your help.
Add one more document found at https://docs.splunk.com/Splexicon:Searchmode
A setting that optimizes your search performance by controlling the amount or type of data that the search returns. Search mode has three settings: Fast, Verbose, and Smart.
Refer to the documentation on the different search modes
Using the Fast mode
The Fast mode prioritizes the performance of the search and does not return nonessential field or event data. This means that the search returns what is essential and required.
The Verbose mode returns all of the field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands.
Depending on how the fields you are interested in (Closed_Date Incident_Number Description Up Overal IDno) are determined/extracted, they may or may not be present in fast mode.
If you use smart mode, you should get a good balance of speed and the fields you need.
Thanks for the return but I know this documentation.
What I don't know is why the search inside the dashboard is in fast mode ?
And how can I run the the search inside the dashboard in verbose mode.
I mentionned the fields needed with the command "fields" but it doesn't change anything.
Does the following return the expected results in your dashboard?
(index="uno") OR (index="secundo" earliest=-36mon) | fields * |eval ID=coalesce(Incident_Number, IDno) |fields Closed_Date Incident_Number Description Up Overal IDno