Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

site value not populating correctley

Ram2
Explorer
‎05-31-2024 08:33 AM

We have a query where we are  getting the count by site.

index=test-index |stats count by host site.

When we run this query in search head cluster we are getting output as 

site                       host

undefined         appdtz

undefined        appstd

undefined        apprtg

undefined        appthf

 

When we run the same query in deployer we are getting output correctly with site.

site                       host

sitea         appdtz

sitea       appstd

siteb        apprtg

siteb        appthf

 how to fix this issue in SH cluster.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 08:43 AM

Hi @Ram2 ,

probaby you runned the search on SHC outside the app where the site fied is extracted.

have you in the events the site field?

Ciao.

Giuseppe

0 Karma
Reply

Ram2
Explorer
‎05-31-2024 08:56 AM

Hi @gcusello ,

probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer

have you in the events the site field? --No these are default values for a host coming from universal forwarder,  what they set from application side.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:16 AM

Hi @Ram2 ,

what's the Mode you're using? you must use Verbose.

if the site field isn't extracted, you cannoy use it, did you extracted the site field?

Ciao.

Giuseppe

0 Karma
Reply

Ram2
Explorer
‎05-31-2024 09:23 AM

@gcusello ,

what's the Mode you're using? you must use Verbose. --running in verbose mode.

if the site field isn't extracted, you cannoy use it, did you extracted the site field? -- The site field is a default field like host sourcetype. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-31-2024 09:27 AM

Hi @Ram2 ,

host e sourcetype are indextime fields that you associate to your data surce, site should be an extracted field.

Have you this field running only the search without stats?

if not (as probable) you have to extract it.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...