Which search mode returns all fields?

The search mode that returns all fields is the verbose mode. In this mode, when you run a search, Splunk extracts all the fields from the events that match your search criteria. This includes both the default fields that Splunk automatically brings in, such as timestamps and source types, as well as any extracted custom fields that may be defined within the data.

Verbose search mode is particularly useful when you need to conduct in-depth analysis or when you're troubleshooting issues, as it gives you comprehensive visibility into the data. This allows users to see every piece of information available, making it easier to work with complex datasets.

In contrast, other search modes like fast mode prioritize speed over the amount of information returned. This means that they focus on essential fields to deliver quicker results but may omit some detailed field data. Smart mode aims to balance speed and details by returning a mix of fields depending on the results set, while basic mode is the simplest search returning the least amount of field information. Therefore, verbose mode is uniquely positioned to provide a complete view of the data by returning all fields.