Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index viewable in Events but not in Statistics

Lucas_Henry_
New Member
‎09-28-2016 08:38 AM

I can see events from two indexes in the Events section, but my Statistics shows only events from one of the indexes. Are there common issues that can cause this?

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-28-2016 09:20 AM

It sounds like your search is making some assumptions about the fields present, and somehow those assumptions are only true for the one index.

in stats .... by host index sourcetype splunk_server permission_type fillnull

Obviously host, index, sourcetype and splunk_server will always be defined on all the incoming event rows. However i the extraction for permission_type isn't working right for the data in the other index or if the (very strange looking) "fillnull" field isn't really a field, then any rows with null values for either field will get thrown away. If none of the rows contain any value for permission_type or "fillnull" then you'll get no result rows out of that stats command.

I would just look at the field values directly index=sterling | stats count by fillnull or even index=sterling | table fillnull permission_type. If there are null values anywhere, that extraction or that lookup field or what-have-you, will be your culprit.

0 Karma
Reply

PPape
Contributor
‎09-28-2016 08:44 AM

Can you show the search you are running?

0 Karma
Reply

Lucas_Henry_
New Member
‎09-28-2016 08:46 AM

index=sterling | eval host=lower(host) | eval permission_type=lower(permission_type) | stats earliest(_time) as earliest latest(_time) as latest values(source) as sources by host index sourcetype splunk_server permission_type fillnull | convert ctime(earliest) ctime(latest) | table index host sourcetype earliest latest sources splunk_server permission_type | sort host

0 Karma
Reply

Lucas_Henry_
New Member
‎09-28-2016 08:48 AM

The indices are "sterling" and "sterling_nonprod". Sterling_nonprod is the only index that works with this search

0 Karma
Reply

PPape
Contributor
‎09-28-2016 08:55 AM

First of all only to get it right...
you run this search two times? Once with index=sterling once with index=sterling_nonprod right?
(only if not try "index=sterling OR index=sterling_nonprod")

Second is the attribute permission_type available in both of your indexed datasets (indexes)?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...