Hello,
in the past few weeks, we have run into some strange behavior with a data model. It is somehow connected to geofence. We named our lookup definition for it as ld_geoContEurope and used the results in data model. But somehow, the name "ld_geoContEurope" appears in fields values, so we get values like "outOfEurope", "inEurope", and "ld_geoContEurope". And this "ld_geoContEurope" also appeared in other fields of the data model.
But, it only appears when we use tstats with summerizeonly=t and we try to show respective fields and these are not defined in raw events. For example | tstats summarizeonly=t count by datamodel.speed shows values like
datamodel.speed count
20 3
30 5
ld_geoContEurope 2
as we can see, 2 events don't have a defined attribute speed as it is optional in the event.
When we use command | from datamodel | stats count by speed , it shows only:
speed count
20 3
30 5
as events have defined only those values.
Splunk version 6.5.8
Can someone help?
Thanks for any advice.
... View more