- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Internal field `_serial` is gone in v6.2.3; why?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I only just found out about the existence of the internal _serial field which should be equal to the row-number less 1 (e.g. first row has _serial value of 0, second row has _serial value of 1, etc.) but no matter what I do, I cannot get examples that have been posted here before that use _serial to work. What is the deal with _serial? When did it go away and was it deliberate or a bug?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:
... | streamstats current=f count AS _serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:
... | streamstats current=f count AS _serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I upgraded a 6.2.1 instance to 6.2.3 and I'm able to still see _serial and other hidden fields in results doing a search like index=_internal | fields - _raw | rename _* as *_x | table *_x That said, _serial and other hidden fields can be altered and destroyed by transforming commands. So the question is what examples are you trying that seem to not be working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never heard of this field. What is the notion of row number in splunk ?
was it for CSV files ? Because this is gone since the 6.* and the INDEXED_EXTRACTIONS.
In case the field is there but hidden, try :
- try to cast it in a field with an eval first.
<my search> | eval serial=_serial | table serial _raw
or maybe try to add it to the fields.conf
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
