Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does tstats not work for some feeds with host="unassigned"?

vl951f
Path Finder
‎01-05-2023 08:37 AM

We had some feeds with host="unassigned". the following tstats will not return any result for some feeds, but it works for some other feeds:

tstats count where index=aindex by host,sourcetype,index

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 07:59 PM

The right question to ask is: What methods are used to ingest those sources showing "unassigned"?  Yes, your admin and source developers should make sure that Splunk gets host field in any source because this is a required base field for Splunk.  In most cases, Splunk will try to decipher host from source; sometimes it will even use the index server as host.  But yes, there are ways to defeat Splunk no matter what the server do.  Getting Data In contains information about how to correctly configure sources.  There's also a dedicated forum about Getting Data In.  Good luck.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎01-05-2023 09:54 PM

@yuanliu  YES. That's the answer I'm looking for (Splunk gets host field in any source because this is a required base field for Splunk). Do you have any link for Splunk documentation to indicate the general rules for the host field?  I'm trying to convince the source developers to assign a value to the host field for all feeds.

Thank you so much.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 10:39 PM

This is from the Getting Data In document linked above: Configure host values. (Each data source is different.)

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 09:25 AM

It is possible that those "unassigned" is populated by some special rule (like calculated field).  In the raw feed, host is perhaps blank.  In that case, when you group by host, those records will not show.  That tstats would then be equivalent to

index=aindex host=*
| stats count by host,sourcetype,index

This can be a test to detect such a condition.

index=aindex NOT host=*
| stats count by sourcetype, index

 

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎01-05-2023 11:07 AM

There is no host field in any of those raw messages. It looks like Splunk assigned "unassigned" to the host field if it's blank.

What's the general rules for the host field parsing in Splunk? Should any feed be assigned a value to host field (if it's blank)?

Will assigning a value to the host field (if it's blank) fix the tstats search problem?

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 07:59 PM

The right question to ask is: What methods are used to ingest those sources showing "unassigned"?  Yes, your admin and source developers should make sure that Splunk gets host field in any source because this is a required base field for Splunk.  In most cases, Splunk will try to decipher host from source; sometimes it will even use the index server as host.  But yes, there are ways to defeat Splunk no matter what the server do.  Getting Data In contains information about how to correctly configure sources.  There's also a dedicated forum about Getting Data In.  Good luck.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...