Hi all,
I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.
Example:
search
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest
results
dest
source::/u01/wlslog/osb_ib_prod/osb_lxosb061/serverlogs/access.log|host::LXOSB061|cross_access
source::/u01/wlslog/osb2_ib_prod/osb_lxosb074/serverlogs/access.log|host::LXOSB074|cross_access
source::/u01/app/oracle/admin/osb2_prod/mserver/osb2_prod/servers/osb_lxosb004_d/logs/access.yyyyMMdd.log|host::lxosb004.gbm.lan|cross_access
but If I remove the dedup splunk work correctly, also with index and sourcetype field on search
someone had my same issue?
Regards
Hi
I have a similar issue.
It seems to be connected with the search term and the use of the dedup.
search producing problem:
index=index_*
|dedup HOSTNAME POLICY_NAME
The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.
This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values
smells like a bug?
Hi asabatini85,
if you run only the search without dedup and table, what do you see in the dest field?
Ciao.
Giuseppe
I downvoted this post because it's not an answer but a comment.
Hi asabatini85
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use | dedup <field>
all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.
Giuseppe
Nothing, but is correct because dest filed don't have value for now.
Hi asabatini85,
how can you use dedup for a field with no values?
Ciao.
Giuseppe