I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest
but If I remove the dedup splunk work correctly, also with index and sourcetype field on search
someone had my same issue?
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use
| dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.
I have a similar issue.
It seems to be connected with the search term and the use of the dedup.
search producing problem:
|dedup HOSTNAME POLICYNAME
The result populates a field COMPSUMMARYFAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.
This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values
smells like a bug?