Traditionally when we do a count across fields we would run: |top limit=0 Hostname, Error Job Name, Error ID, Service ID, Application ID, Error Transaction ID, Record Info
In this case, the top command only returns results where data is present in all fields, so it would eliminate any events without Error Job Name. (the fields where Error Job Name are blank would not display)
We are looking for a way to count these events across all fields, including fields that are not populated by a regular expression or field extraction.
Perhaps you can try using the fillnull option to see if it will help. Something along the line of "... "Error Job Name" | fillnull value="NA" | top..."
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Fillnull
Perhaps you can try using the fillnull option to see if it will help. Something along the line of "... "Error Job Name" | fillnull value="NA" | top..."
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Fillnull