Knowledge Management

eventtype with Russian text causes "| stats count by tag" to return no results

mgaraventa_splu
Splunk Employee
Splunk Employee

If I run the search:

tag=S100 | stats count

it returns the correct results. So the tag can be searched, but there is no tag field in the fields list. If instead you run this search:

tag=S100 | stats count by tag

it doesn't return any result. I could reproduce the issue both on Splunk 6.1.1 and 6.0. After replacing the Russian text in Message="" in the eventtype definition in eventtypes.conf with any English text, it started to work as expected.

Could you please tell me if this is a bug and how this can be workarounded?

Thanks in advance.

1 Solution

mgaraventa_splu
Splunk Employee
Splunk Employee

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

View solution in original post

mgaraventa_splu
Splunk Employee
Splunk Employee

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...