Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is tstats count showing 0 on _internal index?

PickleRick
SplunkTrust
SplunkTrust
‎06-21-2022 10:15 AM

Today I've seen something strange. I was preparing a small workshop for the customer and wanted to show the performance difference between

index=_internal | stats count

and

| tstats count where index=_internal

I was completely baffled when the second search showed me (repeatedly) count of 0.

If I run the search on any other splunk instance I have access to it shows me more or less the same number for both searches (of course they can differ slightly as the _internal is dynamic so a difference of few dozen entries is perfectly understandable).

But this one showed 0 with tstats.

Anyone encountered something like that?

I didn't have time to investigate further, I hope I get some time tomorrow to look into it but I'm puzzled. To make thing more mysterious, for other indexes tstats shows proper counts. It's just the _internal index which lies that it has no events.

It's a 8.2.6 clustered (both indexer cluster and shcluster) installation.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

BLACKBEARCO
Explorer
‎06-21-2022 12:19 PM

Could also be related to https://community.splunk.com/t5/Splunk-Enterprise/what-makes-tstats-on-internal-go-wrong/m-p/572087.

Unfortunately, the resolution in the linked issue did not seem to apply to us. It seemed very specific to the _internal index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2022 11:02 AM

Is _internal tsidx-reduced on that system?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-21-2022 11:04 AM

I'll have to check that but I don't think so.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2022 11:00 AM

Maybe it’s related to this https://community.splunk.com/t5/Splunk-Search/tstats-is-not-displaying-all-expected-hosts/m-p/602539...

If I recall right I have seen some other too?

https://splunk-usergroups.slack.com/archives/C0YK8DN2H/p1649110401076109 probably another issue related to internal indexes.

r. Ismo

Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-21-2022 11:02 AM

Indeed, seems related. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...