Splunk 4.2.1 (98164). I have some eventtypes that are not behaving as expected.
One such eventtype is named "E-Triage-LaunchWizard EmptyString for Client ID" with the following definition:
displayName="PUXEYA01" logLevel="error" "sf.sfpp.service.ams.validation.ClientDomainValidationProxy.getAccountsByClientTO" "Empty String is an invalid input for ClientID"
In the flashtimeline view if I execute this query over a 24 hour timeframe I get 9 results:
sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID"
If I run this one over the same timeframe, I get 0 results:
sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | stats count by eventtype
I also tried this one and also got 0 results:
sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | fields eventtype | stats count by eventtype
This happens for a handful of my eventtypes, but not all of them. Any ideas on what is going on or how to get the desired results?
Hello, bjalex80.
Unfortunately, I have the same problem when I try to group by eventtype. I think that´s because some events meet the conditions to be an eventtype but they are not marked as such.