thanks again for replying.. it works but still results are not displaying exactly. Three columns are showing.

1. timeframe 2.Null 3. nullcom.basware.bt.access.RemoteSystemIDNullException:

In null column it is showing counts for RemotesystemID exception and in nullcom.basware.bt.access.RemoteSystemIDNullException this column it is showing counts in zero.
one more thing that i have acknowledged that is in null column when i am clicking on counts which is showing in null to view the events it is showing nothing (no result found) but when i am clicking on 3rd column and view events in that by clicking on zero than it shows the RemotesystemID exception.

How to solve this? Any suggestions.. thanks

Regards

What you are describing is exactly correct behavior. There is a "null" field because inside your data are events like this (or similar):

INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is Null

As far as the RemoteSystemIDNullException (always) showing zero; this also likely not the case. I can believe that is is mostly showing zero but not always. Try this search:

 index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | stats last(_raw) AS raw count by remotesystemid

See what I mean?

Well thanks once again buddy.. it started giving the result but not in the exact manner what I want.. I don't know why but I will configure it out.. Now if i am clicking on "show events" it is showing the events but somehow i want the same data in some other format.. thanks a ton once again... Regards

hey.. thanks for replying.. In verbose mode even i am getting the same result like there are 2 columns

1.)timeframe 2.) Null (which is showing the counts)

I just don't understand why Splunk behaves weird? Do you have any suggestions for me?

Regards

None of your events have a field named remotesystemid. Solve that and your whole problem is gone.

Here below given is my logs in which "remotesystemid" is used so i have made extraction basis of that Please have a look. thanks

INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)

thanks for the reply.. yes i have tried the same but it is giving "no result found".. Do you have any idea what to do in this case? thanks

I think it's going wrong somewhere on the sourcetype=xyz assignment. That's not getting done for some reason so nothing that depends on it happens either. If it were getting done, the search would return a bunch of blanks, not "no results found" (I think).

Did the host change IP addresses or something?

First on splunk server its found under user directory and it has following entries under it -

[sc-kofax-extracts]
[sc-nova-email]
[ng-pay]

With this it is found under (etc/system/local/) as well and entries are

[my-onp-front]
TRANSFORMS-drop_noise = heartbeat

and on my local system from where i am pushing the data to splunk server through universal forwarder, its found under ($SPLUNK_HOMESplunkUniversalForwarderetcsystemdefault) and under this there are no entries related to "remotesystemid"

I don't see an [xyz] stanza in your etc/system/local/props.conf file. That means Splunk has no instructions about how to process that sourcetype and won't know how to find the remotesystemid field.

Everything is handling by my system. Logs are placed in my local system. sourcetype is defined in my local system inputs.conf file and i am pushing logs on the server by splunk forwarder from my local system.

Once the logs get to your local system (the indexer), there should be a props.conf file describing how the xyz sourcetype should be handled. The relevant portion of that file will begin with "[xyz]". Please share that text, if it exists. If it doesn't exist, then we've found your problem.

Post a sample of your data so we can help you extract the remotesystemid field.

Now i am getting something by below query but its give me values with "null" column and timeframe column where as time frame column is showing right time and null column showing the right values but i don't need values with null column name so for that I have used stats command with the below query (| stats values(*) as * by remotesysid) but then again it is giving me "no result found"..

index=abc sourcetype=xyz | timechart count by remotesysid

What is the [xyz] stanza of your props.conf file?

sorry but didn't get you? could you please elaborate more?

How is the field "remotesystemid" extracted? You should have an entry in your props.conf file, which is located either in $SPLUNK_HOME/etc/system/local/ or $SPLUNK_HOME/etc/users/yourusername/search/local/ - depending if the field extraction is public or private

Please refer to the link @richgalloway has posted in his comment for further info about the props.conf