Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

missing sourcetype in index summary

JeToJedno
Explorer
‎06-06-2018 06:36 AM

I have two summary reports over an index, and one sourcetype is missing from one.

The reports are:
index="esam"
| eval fred=sourcetype.":".host
| eval time=strftime(_time,"%Y-%m-%d")
| stats count BY time, fred
| xyseries time, fred, count
and:
index="esam"
| eval date=strftime( _time, "%Y-%m-%d" ), channel=COALESCE(channel,' ')
| stats min(_time) AS min_time, max(_time) AS max_time, count BY sourcetype, date, channel, host
| fieldformat min_time=strftime(min_time, "%Y-%m-%d %H:%M:%S.%3N")
| fieldformat max_time=strftime(max_time, "%Y-%m-%d %H:%M:%S.%3N")

one sourcetype is present in the results of the first report and missing from the second.

Can you advise where to look for the problem?

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎06-07-2018 11:20 AM

most likely, there is a record with a sourcetype and no host. Update the second line of the second search to ...

 | eval date=strftime( _time, "%Y-%m-%d" ), channel=COALESCE(channel,' '), host=coalesce(host,"((missing))")
0 Karma
Reply

JeToJedno
Explorer
‎06-08-2018 03:08 AM

Thanks. I tried that. No change.

|time|ESAM:AT_messages:main|ESAM:break_decisioning:main|ESAM:break_evaluation:main|ESAM:break_return:main|ESAM:esam_server_debug:main|ESAM:scte104_splice_request_messages:main|ESAM:vicc_polling:main|ESAM:vicc_sanity_check:main|
|2018-06-05|7615438|18|27|16|3029470|11|57495|46|

and

|sourcetype|date|channel|host|min_time|max_time|count|
|ESAM:break_decisioning|2018-06-05|AD2|main|2018-06-05 08:43:50.641|2018-06-05 16:10:24.016|18|
|ESAM:break_evaluation|2018-06-05|AD2|main|2018-06-05 08:43:50.294|2018-06-05 16:10:13.902|27|
|ESAM:break_return|2018-06-05|AD2|main|2018-06-05 08:52:43.124|2018-06-05 16:12:00.352|16|
|ESAM:scte104_splice_request_messages|2018-06-05|AD2|main|2018-06-05 08:51:06.782|2018-06-05 16:10:24.016|11|
|ESAM:vicc_polling|2018-06-05|AD2|main|2018-06-05 00:00:02.328|2018-06-05 23:59:59.174|38336|
|ESAM:vicc_polling|2018-06-05|TEST|main|2018-06-05 00:00:02.795|2018-06-05 23:59:58.265|19159|
|ESAM:vicc_sanity_check|2018-06-05|AD2|main|2018-06-05 12:59:34.020|2018-06-05 13:37:44.024|6|

Note the ESAM:AT_messages:main present in the first and missing in the second.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎06-06-2018 06:58 AM

Are you running over the same timerange?

0 Karma
Reply

JeToJedno
Explorer
‎06-06-2018 07:38 AM

Yes. -7d@d -> now
the logs (each sourcetype is a different set of log files) are all over the same timeperiod.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...