Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

error on tag and dedup in search

asabatini85
Path Finder
‎10-29-2019 06:19 AM

Hi all,

I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.

Example:

search
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest

results

dest
source::/u01/wlslog/osb_ib_prod/osb_lxosb061/serverlogs/access.log|host::LXOSB061|cross_access
source::/u01/wlslog/osb2_ib_prod/osb_lxosb074/serverlogs/access.log|host::LXOSB074|cross_access
source::/u01/app/oracle/admin/osb2_prod/mserver/osb2_prod/servers/osb_lxosb004_d/logs/access.yyyyMMdd.log|host::lxosb004.gbm.lan|cross_access

but If I remove the dedup splunk work correctly, also with index and sourcetype field on search

someone had my same issue?

Regards

0 Karma
Reply

stefan_d
Path Finder
‎02-24-2020 02:53 AM

Hi

I have a similar issue.

It seems to be connected with the search term and the use of the dedup.

search producing problem:

index=index_*

|dedup HOSTNAME POLICY_NAME

The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.

This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values

smells like a bug?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-29-2019 09:49 AM

Hi asabatini85,
if you run only the search without dedup and table, what do you see in the dest field?

Ciao.
Giuseppe

0 Karma
Reply

asabatini85
Path Finder
‎11-05-2019 05:11 AM

I downvoted this post because it's not an answer but a comment.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 05:30 AM

Hi asabatini85
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use | dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.

Giuseppe

0 Karma
Reply

asabatini85
Path Finder
‎10-30-2019 05:03 AM

Nothing, but is correct because dest filed don't have value for now.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2019 05:10 AM

Hi asabatini85,
how can you use dedup for a field with no values?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...