Splunk Search

error on tag and dedup in search

asabatini85
Path Finder

Hi all,

I have a weird error on my splunk instance 7.3.0.
I created a tag called application_web, if I try to use this tag with dedup on dest field I have the value of the source on my field.

Example:

search
tag=application_web app=nmol OR app=cross
| dedup dest
| table dest

results

dest
source::/u01/wlslog/osb_ib_prod/osb_lxosb061/serverlogs/access.log|host::LXOSB061|cross_access
source::/u01/wlslog/osb2_ib_prod/osb_lxosb074/serverlogs/access.log|host::LXOSB074|cross_access
source::/u01/app/oracle/admin/osb2_prod/mserver/osb2_prod/servers/osb_lxosb004_d/logs/access.yyyyMMdd.log|host::lxosb004.gbm.lan|cross_access

but If I remove the dedup splunk work correctly, also with index and sourcetype field on search

someone had my same issue?

Regards

0 Karma

stefan_d
Path Finder

Hi

I have a similar issue.

It seems to be connected with the search term and the use of the dedup.

search producing problem:

index=index_*

|dedup HOSTNAME POLICY_NAME

The result populates a field COMP_SUMMARY_FAILURE_NAME with source::xxx|host::yyy|zzz
where xxx= value for source, yyy= value for host, zzz=value for sourcetype
The result is reproducible for a subset of events and always for this field.

This does not happen when:
- adding more specific terms, e.g. HOSTNAME=blabla
- not using a wildcard for the index, e.g. index=index_specific
- not using dedup, then the result returns multiple events with the field in question containing no values

smells like a bug?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85,
if you run only the search without dedup and table, what do you see in the dest field?

Ciao.
Giuseppe

0 Karma

asabatini85
Path Finder

I downvoted this post because it's not an answer but a comment.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85
Sorry for my comment, I'm trying to explain that you cannot dedup for an empty field, infact if you use | dedup <field> all the values with ="" are excluded by the results.
This is the reason because I hinted to run your search without table and dedup, to see the values of dest field.
This means that you have to find why dest is empty.

Giuseppe

0 Karma

asabatini85
Path Finder

Nothing, but is correct because dest filed don't have value for now.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asabatini85,
how can you use dedup for a field with no values?

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...