Splunk Search
Highlighted

error on tag and dedup in search

Path Finder

Hi all,

I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.

Example:

search
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest

results

dest
source::/u01/wlslog/osb_ib_prod/osb_lxosb061/serverlogs/access.log|host::LXOSB061|cross_access
source::/u01/wlslog/osb2_ib_prod/osb_lxosb074/serverlogs/access.log|host::LXOSB074|cross_access
source::/u01/app/oracle/admin/osb2_prod/mserver/osb2_prod/servers/osb_lxosb004_d/logs/access.yyyyMMdd.log|host::lxosb004.gbm.lan|cross_access

but If I remove the dedup splunk work correctly, also with index and sourcetype field on search

someone had my same issue?

Regards

0 Karma
Highlighted

Re: error on tag and dedup in search

Legend

Hi asabatini85,
if you run only the search without dedup and table, what do you see in the dest field?

Ciao.
Giuseppe

0 Karma
Highlighted

Re: error on tag and dedup in search

Path Finder

Nothing, but is correct because dest filed don't have value for now.

0 Karma
Highlighted

Re: error on tag and dedup in search

Legend

Hi asabatini85,
how can you use dedup for a field with no values?

Ciao.
Giuseppe

0 Karma
Highlighted

Re: error on tag and dedup in search

Path Finder

I downvoted this post because it's not an answer but a comment.

0 Karma
Highlighted

Re: error on tag and dedup in search

Legend

Hi asabatini85
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use | dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.

Giuseppe

0 Karma
Highlighted

Re: error on tag and dedup in search

Explorer

Hi

I have a similar issue.

It seems to be connected with the search term and the use of the dedup.

search producing problem:

index=index*

|dedup HOSTNAME POLICY
NAME

The result populates a field COMPSUMMARYFAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.

This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values

smells like a bug?

0 Karma