Knowledge Management

Eventtype works to find the record, but does not show up in eventtype field for that event just found.

New Member

I have a eventtype, for example, Defect-123, defined with search string from stack trace "caused by: some exception", I can use the eventtype to find the event, but when look at the eventtype field for that particular event, I can not see the Defect-123.

This only works when I build search string with some string from log entry but not the string from stack trace appended for that log entry....

What could be the reason for this? The size of the stack trace, or some pattern need to be defined....
Thanks,

Tags (1)
0 Karma

Legend

When you say "I can't see the eventtype in the result," where are you looking for the eventtype? And what are you trying to achieve with the result?

If you are looking in the fields sidebar for the eventtype, only the top 10 eventtypes will show even though there might be more.
The "eventtype" field is often a multivalued field, which will show all the eventtypes (think "categories") that an event belongs to.

Try this and see what happens:

yoursearchhere eventtype="xyz"
| stats count by eventtype

You may see many different eventtypes for a single event. Assume that your search returned 10 results. The statistics could easily look like this

eventtype             count
fail                     2
success                  8
unix_audit               9
xyz                     10

Looking at these results, it is clear that each event belongs to multiple eventtypes. This is normal and expected. You can also try to see what is happening by doing this

yoursearchhere eventtype="xyz"
| head 10
| table eventtype _raw
0 Karma

New Member

Let me reply for this thread since I have the exactly same issue as dongyao0001.

The problem is that I cannot see the eventtype field on the result even though we could query eventtype.

For example, I have two eventtypes which are
eventtype: JIRA-001

index=mine "ExceptionReason\": Error01\""

eventtype: JIRA-002

index=mine "ExceptionReason\": Another Error02\""

I can see the eventtype JIRA-001 on my result but cannot see JIRA-002.

Trying what you suggested, I can see the result for

index=mine eventtype="JIRA-001" | stats count by eventtype

But I cannot see the result for

index=mine eventtype="JIRA-002" | stats count by eventtype

I also tried deleting JIRA-002 and create JIRA-003 with the exactly same search query but it didn't work.

I know it sounds weird, but it is happening.

FYI, this gives me the empty fields:

index=mine eventtype="JIRA-002" | table eventtype

For your information, I could see the result for

index=mine eventtype="JIRA-002"

Also I could get the result using this query which does not make sense.

eventtype="JIRA-002" | where isnull(eventtype)
0 Karma

New Member

I have the exactly same issue like this. I could set eventtype, I could query results using eventtype, but cannot make the eventtype shown on the result!!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!