Hi,
One of my users reported a bit of an odd issue that spontaneously developed recently. He's got a very long and complicated query which had worked fine for months, but, for some reason, no longer displays results if he uses a "| table a b c d" towards the end of his search, but only if he doesn't run the command in Verbose search mode.
Every other part of the search works fine in Fast/Smart mode, and the fields he wants to display are visible in the Selected Fields area, and I can even "| fields a b c d" to ensure that only those fields are present, but, the use of the table command returns 0 results.
He can run the search in Verbose mode and it works as expected, but, this is new behaviour to us.
The sourcetype he's using is defined in the app's props.conf, and it's just doing a field extraction of a number of key fields, and our setup is a 6.6.3 Search Head talking to a 6.6.2 index cluster.
Many of the fields he's trying to put into the table are created out of using eventstats, rename, lookups, or evals -- but, from his perspective, this all worked in non-Verbose mode just fine, but something "changed" and now it doesn't.
I realise there's not a lot to go on here, but, I'm curious if this is familiar to anyone else.
Note that I can create a Table in output-format (Raw/List/Table) with the selected fields just fine, and, as I say, the Fields command works fine, so we can modify his alert to still get the same output he was getting last week, but I'm at a loss to understand why everything in his query works except for the |table even though the fields are selected and displayed and can be manipulated just fine in other search modes.
↧