Weird behaviour with some eventtypes.

bjalex80 · ‎05-15-2012

Splunk 4.2.1 (98164). I have some eventtypes that are not behaving as expected.

One such eventtype is named "E-Triage-LaunchWizard EmptyString for Client ID" with the following definition:

displayName="PUXEYA01" logLevel="error" "sf.sfpp.service.ams.validation.ClientDomainValidationProxy.getAccountsByClientTO" "Empty String is an invalid input for ClientID"

In the flashtimeline view if I execute this query over a 24 hour timeframe I get 9 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID"

If I run this one over the same timeframe, I get 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | stats count by eventtype

I also tried this one and also got 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | fields eventtype | stats count by eventtype

This happens for a handful of my eventtypes, but not all of them. Any ideas on what is going on or how to get the desired results?

guiher · ‎09-18-2012

Hello, bjalex80.

Unfortunately, I have the same problem when I try to group by eventtype. I think that´s because some events meet the conditions to be an eventtype but they are not marked as such.

Weird behaviour with some eventtypes.

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?