Using the Fast mode
The Fast mode prioritizes the performance of the search and does not return nonessential field or event data. This means that the search returns what is essential and required.
- Disables field discovery. Field discovery is the process Splunk software uses to extract fields aside from default fields such as
host,source, andsourcetype. The Splunk software only returns information on default fields and fields that are required to fulfill your search. If you are searching on specific fields, those fields are extracted. - Only depicts search results as report result tables or visualizations when you run a reporting search. A reporting search is a search that includes transforming commands. Under the Fast mode you will see only event lists and event timelines for searches that do not include transforming commands.
Using the Smart mode
All reports run in Smart mode, the default search mode, after they are first created. By design, the Smart mode returns the best results for whatever search or report you run. If you search on events, you get all the event information you need. If you run a transforming search, the Splunk software favors speed over thoroughness and brings you straight to the report result table or visualization.
When you run a Smart mode search that does not include transforming commands, the search behaves as if it were in Verbose mode.
- Discovers all the fields it can.
- Generates the full event list and event timeline. No event table or visualization will appear because you need transforming commands to make those happen.
When you run a Smart mode search that includes transforming commands, the search behaves as if it were in Fast mode.
- Disables field discovery.
- Does not waste time generating the event list and event timeline and jumps you straight to the report result table or visualization.
Using the Verbose mode
The Verbose mode returns all of the field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands.
- Discovers all of the fields it can. This includes default fields, automatic search-time field extractions, and all user-defined index-time and search-time field extractions. Discovered fields are displayed in the left-hand fields sidebar in the Events results tab.
- Returns an event list view of results and generates the search timeline. It also generates report tables and visualizations if your search includes reporting commands.
You may want to use the Verbose mode if you are putting together a transforming search but are not exactly sure what fields you need to report on, or if you need to verify that you are summarizing the correct events.
Sources: Splunk
