Solved: eventtype with Russian text causes "| stats count ...

mgaraventa_splu · ‎07-25-2014

If I run the search:

tag=S100 | stats count

it returns the correct results. So the tag can be searched, but there is no tag field in the fields list. If instead you run this search:

tag=S100 | stats count by tag

it doesn't return any result. I could reproduce the issue both on Splunk 6.1.1 and 6.0. After replacing the Russian text in Message="" in the eventtype definition in eventtypes.conf with any English text, it started to work as expected.

Could you please tell me if this is a bug and how this can be workarounded?

Thanks in advance.

mgaraventa_splu · ‎07-25-2014

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

View solution in original post

mgaraventa_splu · ‎07-25-2014

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

eventtype with Russian text causes "| stats count by tag" to return no results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!