I have a eventtype, for example, Defect-123, defined with search string from stack trace "caused by: some exception", I can use the eventtype to find the event, but when look at the eventtype field for that particular event, I can not see the Defect-123.
This only works when I build search string with some string from log entry but not the string from stack trace appended for that log entry....
What could be the reason for this? The size of the stack trace, or some pattern need to be defined....
Thanks,
When you say "I can't see the eventtype in the result," where are you looking for the eventtype? And what are you trying to achieve with the result?
If you are looking in the fields sidebar for the eventtype, only the top 10 eventtypes will show even though there might be more.
The "eventtype" field is often a multivalued field, which will show all the eventtypes (think "categories") that an event belongs to.
Try this and see what happens:
yoursearchhere eventtype="xyz"
| stats count by eventtype
You may see many different eventtypes for a single event. Assume that your search returned 10 results. The statistics could easily look like this
eventtype count
fail 2
success 8
unix_audit 9
xyz 10
Looking at these results, it is clear that each event belongs to multiple eventtypes. This is normal and expected. You can also try to see what is happening by doing this
yoursearchhere eventtype="xyz"
| head 10
| table eventtype _raw
Let me reply for this thread since I have the exactly same issue as dongyao0001.
The problem is that I cannot see the eventtype field on the result even though we could query eventtype.
For example, I have two eventtypes which are
eventtype: JIRA-001
index=mine "ExceptionReason\": Error01\""
eventtype: JIRA-002
index=mine "ExceptionReason\": Another Error02\""
I can see the eventtype JIRA-001 on my result but cannot see JIRA-002.
Trying what you suggested, I can see the result for
index=mine eventtype="JIRA-001" | stats count by eventtype
But I cannot see the result for
index=mine eventtype="JIRA-002" | stats count by eventtype
I also tried deleting JIRA-002 and create JIRA-003 with the exactly same search query but it didn't work.
I know it sounds weird, but it is happening.
FYI, this gives me the empty fields:
index=mine eventtype="JIRA-002" | table eventtype
For your information, I could see the result for
index=mine eventtype="JIRA-002"
Also I could get the result using this query which does not make sense.
eventtype="JIRA-002" | where isnull(eventtype)
Hi there!
Did you manage to find a fix for this ?
You might have missed that but the thread you're responding to is over 6 years old. There's a relatively high probability that the persons involved don't even subscribe to this forum anymore. And the question itself (or the cause of underlying problem) might not be relevant for current version of Splunk.
In such case it's better to start a new thread, possibly including a link to the old post as a reference to what you already found.
I have the exactly same issue like this. I could set eventtype, I could query results using eventtype, but cannot make the eventtype shown on the result!!