Weird behaviour with some eventtypes.

bjalex80 · ‎05-15-2012

Splunk 4.2.1 (98164). I have some eventtypes that are not behaving as expected.

One such eventtype is named "E-Triage-LaunchWizard EmptyString for Client ID" with the following definition:

displayName="PUXEYA01" logLevel="error" "sf.sfpp.service.ams.validation.ClientDomainValidationProxy.getAccountsByClientTO" "Empty String is an invalid input for ClientID"

In the flashtimeline view if I execute this query over a 24 hour timeframe I get 9 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID"

If I run this one over the same timeframe, I get 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | stats count by eventtype

I also tried this one and also got 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | fields eventtype | stats count by eventtype

This happens for a handful of my eventtypes, but not all of them. Any ideas on what is going on or how to get the desired results?

guiher · ‎09-18-2012

Hello, bjalex80.

Unfortunately, I have the same problem when I try to group by eventtype. I think that´s because some events meet the conditions to be an eventtype but they are not marked as such.

Weird behaviour with some eventtypes.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Weird behaviour with some eventtypes.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine