Knowledge Management

eventtype with Russian text causes "| stats count by tag" to return no results

mgaraventa_splu
Splunk Employee
Splunk Employee

If I run the search:

tag=S100 | stats count

it returns the correct results. So the tag can be searched, but there is no tag field in the fields list. If instead you run this search:

tag=S100 | stats count by tag

it doesn't return any result. I could reproduce the issue both on Splunk 6.1.1 and 6.0. After replacing the Russian text in Message="" in the eventtype definition in eventtypes.conf with any English text, it started to work as expected.

Could you please tell me if this is a bug and how this can be workarounded?

Thanks in advance.

1 Solution

mgaraventa_splu
Splunk Employee
Splunk Employee

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

View solution in original post

mgaraventa_splu
Splunk Employee
Splunk Employee

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...