Weird behaviour with some eventtypes.

bjalex80 · ‎05-15-2012

Splunk 4.2.1 (98164). I have some eventtypes that are not behaving as expected.

One such eventtype is named "E-Triage-LaunchWizard EmptyString for Client ID" with the following definition:

displayName="PUXEYA01" logLevel="error" "sf.sfpp.service.ams.validation.ClientDomainValidationProxy.getAccountsByClientTO" "Empty String is an invalid input for ClientID"

In the flashtimeline view if I execute this query over a 24 hour timeframe I get 9 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID"

If I run this one over the same timeframe, I get 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | stats count by eventtype

I also tried this one and also got 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | fields eventtype | stats count by eventtype

This happens for a handful of my eventtypes, but not all of them. Any ideas on what is going on or how to get the desired results?

guiher · ‎09-18-2012

Hello, bjalex80.

Unfortunately, I have the same problem when I try to group by eventtype. I think that´s because some events meet the conditions to be an eventtype but they are not marked as such.

Weird behaviour with some eventtypes.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!