Splunk Search

Why is "stats" not working for the default "component" field on the internal except for in verbose mode?

hettervik
Builder

Hi. We are trying to do some stats on the "component" field in the internal splunkd logs, but have encountered a strange problem, the stats command only works if we search in "Verbose Mode". If we switch to "Smart Mode" or "Fast Mode" the search gives no results.

This is our search: 

 

index=_internal sourcetype=splunkd component=* | stats count by component

 

This is the default regex in props.conf in the search app for the "component" field: 

 

(?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+)

 

I've tried running the regex manually with the rex command, so I know it works fine. Also, I tried running the stats command in the search app itself, to ensure that there is no permission errors, but the results are the same. The permission for the field extraction is set to read everyone and global anyway, so it should not matter. Also, since the extraction works in verbose mode, we know it actually works, as the component field would not be extracted by a normal key-value pair extraction. It has to be extracted by the regex.

Example of an internal log with the component field (being "Metrics" in this case):

 

10-19-2020 10:36:03.997 +0200 INFO  Metrics - group=thruput, name=uncooked_output, instantaneous_kbps=0, instantaneous_eps=0, average_kbps=0, total_k_processed=0, kb=0, ev=0

 

Also, if I search for only "index=_internal sourcetype=splunkd" in smart mode, the component field is extracted, but if I then click on the field in the UI and click e.g. "Top values", it gives no results again.

Can anyone explain this behaviour, and what may be the cause?

Labels (1)

andsov
Explorer

+1 On this issue, we are also experiencing the exact same problem. 

0 Karma
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...