Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Internal field `_serial` is gone in v6.2.3; why?

woodcock
Esteemed Legend
‎06-12-2015 06:29 AM

I only just found out about the existence of the internal _serial field which should be equal to the row-number less 1 (e.g. first row has _serial value of 0, second row has _serial value of 1, etc.) but no matter what I do, I cannot get examples that have been posted here before that use _serial to work. What is the deal with _serial? When did it go away and was it deliberate or a bug?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2015 02:04 PM

Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:

... | streamstats current=f count AS _serial

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2015 02:04 PM

Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:

... | streamstats current=f count AS _serial
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-13-2015 01:40 PM

I upgraded a 6.2.1 instance to 6.2.3 and I'm able to still see _serial and other hidden fields in results doing a search like index=_internal | fields - _raw | rename _* as *_x | table *_x That said, _serial and other hidden fields can be altered and destroyed by transforming commands. So the question is what examples are you trying that seem to not be working?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 05:56 AM

I never heard of this field. What is the notion of row number in splunk ?
was it for CSV files ? Because this is gone since the 6.* and the INDEXED_EXTRACTIONS.

In case the field is there but hidden, try :
- try to cast it in a field with an eval first.

<my search> | eval serial=_serial | table serial _raw

or maybe try to add it to the fields.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...