Knowledge Management

Eventtype works to find the record, but does not show up in event type field for that event just found.

dongyao0001
New Member

I have a eventtype, for example, Defect-123, defined with search string from stack trace "caused by: some exception", I can use the eventtype to find the event, but when look at the eventtype field for that particular event, I can not see the Defect-123.

This only works when I build search string with some string from log entry but not the string from stack trace appended for that log entry....

What could be the reason for this? The size of the stack trace, or some pattern need to be defined....
Thanks,

Labels (1)
Tags (1)
0 Karma

lguinn2
Legend

When you say "I can't see the eventtype in the result," where are you looking for the eventtype? And what are you trying to achieve with the result?

If you are looking in the fields sidebar for the eventtype, only the top 10 eventtypes will show even though there might be more.
The "eventtype" field is often a multivalued field, which will show all the eventtypes (think "categories") that an event belongs to.

Try this and see what happens:

yoursearchhere eventtype="xyz"
| stats count by eventtype

You may see many different eventtypes for a single event. Assume that your search returned 10 results. The statistics could easily look like this

eventtype             count
fail                     2
success                  8
unix_audit               9
xyz                     10

Looking at these results, it is clear that each event belongs to multiple eventtypes. This is normal and expected. You can also try to see what is happening by doing this

yoursearchhere eventtype="xyz"
| head 10
| table eventtype _raw
0 Karma

yhfaney
New Member

Let me reply for this thread since I have the exactly same issue as dongyao0001.

The problem is that I cannot see the eventtype field on the result even though we could query eventtype.

For example, I have two eventtypes which are
eventtype: JIRA-001

index=mine "ExceptionReason\": Error01\""

eventtype: JIRA-002

index=mine "ExceptionReason\": Another Error02\""

I can see the eventtype JIRA-001 on my result but cannot see JIRA-002.

Trying what you suggested, I can see the result for

index=mine eventtype="JIRA-001" | stats count by eventtype

But I cannot see the result for

index=mine eventtype="JIRA-002" | stats count by eventtype

I also tried deleting JIRA-002 and create JIRA-003 with the exactly same search query but it didn't work.

I know it sounds weird, but it is happening.

FYI, this gives me the empty fields:

index=mine eventtype="JIRA-002" | table eventtype

For your information, I could see the result for

index=mine eventtype="JIRA-002"

Also I could get the result using this query which does not make sense.

eventtype="JIRA-002" | where isnull(eventtype)
0 Karma

DavidHourani
Super Champion

Hi there!

 

Did you manage to find a fix for this ?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Hi @DavidHourani 

You might have missed that but the thread you're responding to is over 6 years old. There's a relatively high probability that the persons involved don't even subscribe to this forum anymore. And the question itself (or the cause of underlying problem) might not be relevant for current version of Splunk.

In such case it's better to start a new thread, possibly including a link to the old post as a reference to what you already found.

 

0 Karma

yhfaney
New Member

I have the exactly same issue like this. I could set eventtype, I could query results using eventtype, but cannot make the eventtype shown on the result!!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...