If I run the search:
tag=S100 | stats count
it returns the correct results. So the tag can be searched, but there is no tag field in the fields list. If instead you run this search:
tag=S100 | stats count by tag
it doesn't return any result. I could reproduce the issue both on Splunk 6.1.1 and 6.0. After replacing the Russian text in Message="" in the eventtype definition in eventtypes.conf with any English text, it started to work as expected.
Could you please tell me if this is a bug and how this can be workarounded?
Thanks in advance.
Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.
As a workaround, if your eventtypes.conf looks like this:
[test]
search = sourcetype=testST Message="Русский текст"
you could try to look up the field as explained here:
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups
Hope this helps.
Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.
As a workaround, if your eventtypes.conf looks like this:
[test]
search = sourcetype=testST Message="Русский текст"
you could try to look up the field as explained here:
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups
Hope this helps.