S.o.S. Errors view no longer showing event counts ...

paulstark · ‎05-07-2014

Ive seen this behavior in many deployments. In the Splunk on Splunk errors page, I select 'Group Similar Events' and the cluster_count does not show up. why?

Ellen · ‎09-09-2014

Since 6.0.3, the cluster search command no longer returns the cluster_count by default.

eg. showcount = false

Prior to 6.0.3, the default of showcount = true

Since displaying the count could have a performance impact, from 6.0.3+ a user can pass showcount = true to the cluster command to return the cluster_count.

eg. index=_internal | cluster showcount=true | table cluster_count, _raw

SPL-83560 updates the documentation for the cluster command default showcount option

hexx · ‎05-07-2014

This is caused by a bug with Splunk Enterprise (reference: SPL-83560) which will be fixed in a future maintenance release.

hexx · ‎05-27-2014

Yes, the issue is indeed with the "cluster" command.

thisissplunk · ‎05-27-2014

Does this also explain why the cluster_count field added to events by the cluster commmand aren't showing up anymore as well? Only cluster_label is showing up now for me.

S.o.S. Errors view no longer showing event counts for clustered events

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!