×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
chrislkt
Explorer
Member since: ‎08-05-2024
‎09-10-2024
Community Statistics
Posts 6
Solutions 1
Karma Given 4
Karma Received 1
Member Since ‎08-05-2024
Activity Feed
View All

Re: tstats returns a count of zero when using an O...

by in Splunk Search
‎09-10-2024 05:01 PM
1 Karma
‎09-10-2024 05:01 PM
1 Karma
Splunk support confirmed this is a bug in 9.1.0.2. Based on the SPL, it has been resolved in Beryllium 9.1.4 and Cobalt 9.2.1. As a workaround until we upgrade, I have appended a bogus OR condition with a wildcard, e.g.: OR noSuchField=noSuchValue* to the other OR conditions in our WHERE clauses, and this causes Splunk to return the correct result. ... View more

Re: tstats returns a count of zero when using an O...

by in Splunk Search
‎08-09-2024 07:45 AM
‎08-09-2024 07:45 AM
Thanks for the idea about the limits. I checked them and it doesn't look like the cause in this case, though we have run into that before where events with too much data didn't get indexed. Also, that looks like a very useful presentation. ... View more

Re: tstats returns a count of zero when using an O...

by in Splunk Search
‎08-09-2024 07:40 AM
‎08-09-2024 07:40 AM
I can't find any evidence that this is a simple data issue. We have many customers using queries like this, and it was only noticed a couple weeks ago. One guess is that the behavior changed when we upgraded from Splunk 8.x to 9.x a couple months ago. To further illustrate: |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857") Result: 6618 |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged") Result: 0 |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged" OR noSuchField="noSuchValue*") Result: 6618 So adding a bogus OR term with an asterisk in the value returns the correct result, but without it the result is 0. I can't imagine this is correct behavior, and we have submitted a support request to Splunk. ... View more

Re: tstats returns a count of zero when using an O...

by in Splunk Search
‎08-06-2024 02:16 PM
‎08-06-2024 02:16 PM
Thanks @KendallW  We are using automatic header-based field extraction for our JSON documents as described here: https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Extractfieldsfromfileswithstructureddata#Use_configuration_files_to_enable_automatic_header-based_field_extraction So when fields like serviceType are present in the events I believe they are getting indexed. You are correct that serviceType is completely missing from the events for time ranges where my tstats query returns 0, but I don't understand why it would work this way, especially since adding a wildcard to either OR value returns the correct non-zero result: |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857*" OR serviceType="unmanaged") |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged*") This really seems like a bug. Thanks for the tip about |append, though this is very undesirable and possibly infeasible for us considering the complexity of our queries and how many we have. ... View more

Re: tstats returns a count of zero when using an O...

by in Splunk Search
‎08-06-2024 01:57 PM
‎08-06-2024 01:57 PM
Thanks for your response @scelikok . We are using a custom sourcetype for our events which is configured in inputs.conf and props.conf to extract the fields from the events as JSON, so based on my reading of this documentation I think all the fields from the JSON are getting indexed, including serviceType: https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Extractfieldsfromfileswithstructureddata#Use_configuration_files_to_enable_automatic_header-based_field_extraction We are able to use tstats to query on any of our JSON fields that I've tried, for example returns the correct non-zero count: |tstats count where index="my_index" serviceType="unmanaged" I tried your tip about using TERM(), but I don't think it applies here. As I mentioned, I can use a wildcard on the serviceType value even without TERM() and it works as expected, even when there are no events containing serviceType: |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmana*")   ... View more

tstats returns a count of zero when using an OR cl...

by in Splunk Search
‎08-05-2024 12:15 PM
‎08-05-2024 12:15 PM
For some reason my |tstats count query is returning a result of 0 when I add an OR condition in my where clause if the field doesn't exist in the dataset, or if the OR condition specifies a string value when the value for the field in the data is always an integer. For example: This query returns the correct event count (or at least it's non-zero):   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857")     Adding this OR condition returns a count of zero -- why? Note that for this time range there are no events with a serviceType field, but for other time ranges there are events with a serviceType field.   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged")     Adding this OR condition also returns zero -- why? It's true that accountId should normally be an integer, but it's an OR, so I still expect it to count those events.   |tstats count where index="my_index" eventOrigin="api" (accountId="19783038942" OR accountId="aaa")     Using a * results in the same non-zero count as the first query, which is expected, even though there are no events with a serviceType field:   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmana*")     Why would adding an OR condition in tstats cause the count to be zero? The same problem does not occur with a regular search query. I am on Splunk 9.1.0.2. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-10-2024 08:25 PM
Karma from
View All
Karma given to