https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155402#M185688 <P>Based on the comment by @acharlieh I went back and played around and have concluded that <CODE>_serial</CODE> only exists for the first set of events that are returned (whatever is under the <CODE>events</CODE> tab). Evidently <CODE>_serial</CODE> is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes <CODE>_serial</CODE> pretty much useless. My situation was that I was hoping to use it after doing a <CODE>stats</CODE> command but it is gone by then. To remedy this, I regenerated <CODE>_serial</CODE> myself like this instead:</P> <PRE><CODE>... | streamstats current=f count AS _serial </CODE></PRE> Sat, 13 Jun 2015 21:04:58 GMT woodcock 2015-06-13T21:04:58Z https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155399#M185685 <P>I only just found out about the existence of the internal <CODE>_serial</CODE> field which should be equal to the row-number less 1 (e.g. first row has <CODE>_serial</CODE> value of 0, second row has <CODE>_serial</CODE> value of 1, etc.) but no matter what I do, I cannot get examples that have been posted here before that use <CODE>_serial</CODE> to work. What is the deal with <CODE>_serial</CODE>? When did it go away and was it deliberate or a bug?</P> Fri, 12 Jun 2015 13:29:43 GMT https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155399#M185685 woodcock 2015-06-12T13:29:43Z https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155400#M185686 <P>I never heard of this field. What is the notion of row number in splunk ?<BR /> was it for CSV files ? Because this is gone since the 6.* and the INDEXED_EXTRACTIONS.</P> <P>In case the field is there but hidden, try :<BR /> - try to cast it in a field with an eval first.</P> <PRE><CODE>&lt;my search&gt; | eval serial=_serial | table serial _raw </CODE></PRE> <P>or maybe try to add it to the fields.conf</P> Sat, 13 Jun 2015 12:56:42 GMT https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155400#M185686 yannK 2015-06-13T12:56:42Z https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155401#M185687 <P>I upgraded a 6.2.1 instance to 6.2.3 and I'm able to still see <CODE>_serial</CODE> and other hidden fields in results doing a search like <CODE>index=_internal | fields - _raw | rename _* as *_x | table *_x</CODE> That said, _serial and other hidden fields can be altered and destroyed by transforming commands. So the question is what examples are you trying that seem to not be working?</P> Sat, 13 Jun 2015 20:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155401#M185687 acharlieh 2015-06-13T20:40:23Z https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155402#M185688 <P>Based on the comment by @acharlieh I went back and played around and have concluded that <CODE>_serial</CODE> only exists for the first set of events that are returned (whatever is under the <CODE>events</CODE> tab). Evidently <CODE>_serial</CODE> is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes <CODE>_serial</CODE> pretty much useless. My situation was that I was hoping to use it after doing a <CODE>stats</CODE> command but it is gone by then. To remedy this, I regenerated <CODE>_serial</CODE> myself like this instead:</P> <PRE><CODE>... | streamstats current=f count AS _serial </CODE></PRE> Sat, 13 Jun 2015 21:04:58 GMT https://community.splunk.com/t5/Splunk-Search/Internal-field-serial-is-gone-in-v6-2-3-why/m-p/155402#M185688 woodcock 2015-06-13T21:04:58Z