Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eventtype with Russian text causes "| stats count by tag" to return no results

mgaraventa_splu
Splunk Employee
Splunk Employee
‎07-25-2014 04:06 AM

If I run the search:

tag=S100 | stats count

it returns the correct results. So the tag can be searched, but there is no tag field in the fields list. If instead you run this search:

tag=S100 | stats count by tag

it doesn't return any result. I could reproduce the issue both on Splunk 6.1.1 and 6.0. After replacing the Russian text in Message="" in the eventtype definition in eventtypes.conf with any English text, it started to work as expected.

Could you please tell me if this is a bug and how this can be workarounded?

Thanks in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎07-25-2014 04:09 AM

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎07-25-2014 04:09 AM

Yes, there is an open bug for it, currently under analysis, but unfortunately not fixed yet. As soon as there are more details about it, I will update it here.

As a workaround, if your eventtypes.conf looks like this:

[test]
search = sourcetype=testST Message="Русский текст"

you could try to look up the field as explained here:

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchTutorial/Usefieldlookups

Hope this helps.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...