Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

site value not populating correctley

Ram2
Explorer
‎05-31-2024 08:33 AM

We have a query where we are  getting the count by site.

index=test-index |stats count by host site.

When we run this query in search head cluster we are getting output as 

site                       host

undefined         appdtz

undefined        appstd

undefined        apprtg

undefined        appthf

 

When we run the same query in deployer we are getting output correctly with site.

site                       host

sitea         appdtz

sitea       appstd

siteb        apprtg

siteb        appthf

 how to fix this issue in SH cluster.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 08:43 AM

Hi @Ram2 ,

probaby you runned the search on SHC outside the app where the site fied is extracted.

have you in the events the site field?

Ciao.

Giuseppe

0 Karma
Reply

Ram2
Explorer
‎05-31-2024 08:56 AM

Hi @gcusello ,

probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer

have you in the events the site field? --No these are default values for a host coming from universal forwarder,  what they set from application side.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:16 AM

Hi @Ram2 ,

what's the Mode you're using? you must use Verbose.

if the site field isn't extracted, you cannoy use it, did you extracted the site field?

Ciao.

Giuseppe

0 Karma
Reply

Ram2
Explorer
‎05-31-2024 09:23 AM

@gcusello ,

what's the Mode you're using? you must use Verbose. --running in verbose mode.

if the site field isn't extracted, you cannoy use it, did you extracted the site field? -- The site field is a default field like host sourcetype. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:27 AM

Hi @Ram2 ,

host e sourcetype are indextime fields that you associate to your data surce, site should be an extracted field.

Have you this field running only the search without stats?

if not (as probable) you have to extract it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...