Splunk Search

error on tag and dedup in search

asabatini85
Path Finder

Hi all,

I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.

Example:

search
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest

results

dest
source::/u01/wlslog/osb_ib_prod/osb_lxosb061/serverlogs/access.log|host::LXOSB061|cross_access
source::/u01/wlslog/osb2_ib_prod/osb_lxosb074/serverlogs/access.log|host::LXOSB074|cross_access
source::/u01/app/oracle/admin/osb2_prod/mserver/osb2_prod/servers/osb_lxosb004_d/logs/access.yyyyMMdd.log|host::lxosb004.gbm.lan|cross_access

but If I remove the dedup splunk work correctly, also with index and sourcetype field on search

someone had my same issue?

Regards

0 Karma

stefan_d
Path Finder

Hi

I have a similar issue.

It seems to be connected with the search term and the use of the dedup.

search producing problem:

index=index_*

|dedup HOSTNAME POLICY_NAME

The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.

This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values

smells like a bug?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85,
if you run only the search without dedup and table, what do you see in the dest field?

Ciao.
Giuseppe

0 Karma

asabatini85
Path Finder

I downvoted this post because it's not an answer but a comment.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use | dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.

Giuseppe

0 Karma

asabatini85
Path Finder

Nothing, but is correct because dest filed don't have value for now.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85,
how can you use dedup for a field with no values?

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...