I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest
but If I remove the dedup splunk work correctly, also with index and sourcetype field on search
someone had my same issue?
I have a similar issue.
It seems to be connected with the search term and the use of the dedup.
search producing problem:
|dedup HOSTNAME POLICY_NAME
The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.
This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values
smells like a bug?
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use
| dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.