I'm running Splunk 6.1 on CentOS 6.5.
When I run a search like: sourcetype=barnyard2 | cluster | table cluster_count,_raw
The cluster_count field doesn't show up in the field list. I've even tried specifying countfield=cluster_count (or any other name) and it still doesn't show up.
Is this a bug? This worked as expected in previous versions of Splunk.
Thanks.
Craig
Try this
sourcetype=barnyard2| cluster showcount=true | table cluster_count,_raw
Try this
sourcetype=barnyard2| cluster showcount=true | table cluster_count,_raw
That worked.
sourcetype=barnyard2| cluster showcount=true | table cluster_count,_raw