S.o.S. Errors view no longer showing event counts ...

paulstark · ‎05-07-2014

Ive seen this behavior in many deployments. In the Splunk on Splunk errors page, I select 'Group Similar Events' and the cluster_count does not show up. why?

Ellen · ‎09-09-2014

Since 6.0.3, the cluster search command no longer returns the cluster_count by default.

eg. showcount = false

Prior to 6.0.3, the default of showcount = true

Since displaying the count could have a performance impact, from 6.0.3+ a user can pass showcount = true to the cluster command to return the cluster_count.

eg. index=_internal | cluster showcount=true | table cluster_count, _raw

SPL-83560 updates the documentation for the cluster command default showcount option

hexx · ‎05-07-2014

This is caused by a bug with Splunk Enterprise (reference: SPL-83560) which will be fixed in a future maintenance release.

hexx · ‎05-27-2014

Yes, the issue is indeed with the "cluster" command.

thisissplunk · ‎05-27-2014

Does this also explain why the cluster_count field added to events by the cluster commmand aren't showing up anymore as well? Only cluster_label is showing up now for me.

S.o.S. Errors view no longer showing event counts for clustered events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life