Weird behaviour with some eventtypes.

bjalex80 · ‎05-15-2012

Splunk 4.2.1 (98164). I have some eventtypes that are not behaving as expected.

One such eventtype is named "E-Triage-LaunchWizard EmptyString for Client ID" with the following definition:

displayName="PUXEYA01" logLevel="error" "sf.sfpp.service.ams.validation.ClientDomainValidationProxy.getAccountsByClientTO" "Empty String is an invalid input for ClientID"

In the flashtimeline view if I execute this query over a 24 hour timeframe I get 9 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID"

If I run this one over the same timeframe, I get 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | stats count by eventtype

I also tried this one and also got 0 results:

sourcetype=eventing eventtype="E-Triage-LaunchWizard EmptyString for Client ID" | fields eventtype | stats count by eventtype

This happens for a handful of my eventtypes, but not all of them. Any ideas on what is going on or how to get the desired results?

guiher · ‎09-18-2012

Hello, bjalex80.

Unfortunately, I have the same problem when I try to group by eventtype. I think that´s because some events meet the conditions to be an eventtype but they are not marked as such.

Weird behaviour with some eventtypes.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life