Hi,
I have an extract with the name "remotesystemid" but when i am executing the below query it is giving values with null column.
index=abc sourcetype=xyz | timechart count by remotesystemid
If i am using ( | stats values(*) as * by remotesystemid ) with the above given command to exclude null value then it is giving no result found.
Kindly suggest where i am wrong?
Thanks
Your field extraction for remotesystemid
are not working but we can do this inside your search; try this:
index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | timechart count by remotesystemid
Your field extraction for remotesystemid
are not working but we can do this inside your search; try this:
index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | timechart count by remotesystemid
thanks again for replying.. it works but still results are not displaying exactly. Three columns are showing.
In null column it is showing counts for RemotesystemID exception and in nullcom.basware.bt.access.RemoteSystemIDNullException this column it is showing counts in zero.
one more thing that i have acknowledged that is in null column when i am clicking on counts which is showing in null to view the events it is showing nothing (no result found) but when i am clicking on 3rd column and view events in that by clicking on zero than it shows the RemotesystemID exception.
How to solve this? Any suggestions.. thanks
Regards
What you are describing is exactly correct behavior. There is a "null" field because inside your data are events like this (or similar):
INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is Null
As far as the RemoteSystemIDNullException
(always) showing zero; this also likely not the case. I can believe that is is mostly showing zero but not always. Try this search:
index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | stats last(_raw) AS raw count by remotesystemid
See what I mean?
Well thanks once again buddy.. it started giving the result but not in the exact manner what I want.. I don't know why but I will configure it out.. Now if i am clicking on "show events" it is showing the events but somehow i want the same data in some other format.. thanks a ton once again... Regards
Are you running in Fast
mode? Try Verbose
instead. Fast
disables search-time field extractions. Also field names are case-sensitive.
hey.. thanks for replying.. In verbose mode even i am getting the same result like there are 2 columns
1.)timeframe 2.) Null (which is showing the counts)
I just don't understand why Splunk behaves weird? Do you have any suggestions for me?
Regards
None of your events have a field named remotesystemid
. Solve that and your whole problem is gone.
Here below given is my logs in which "remotesystemid" is used so i have made extraction basis of that Please have a look. thanks
INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
It would seem Splunk is not finding your remotesystemid field. What does your data look like? Have you tried index=abc sourcetype=xyz | table remotesystemid
?
thanks for the reply.. yes i have tried the same but it is giving "no result found".. Do you have any idea what to do in this case? thanks
I think it's going wrong somewhere on the sourcetype=xyz assignment. That's not getting done for some reason so nothing that depends on it happens either. If it were getting done, the search would return a bunch of blanks, not "no results found" (I think).
Did the host change IP addresses or something?
First on splunk server its found under user directory and it has following entries under it -
[sc-kofax-extracts]
[sc-nova-email]
[ng-pay]
With this it is found under (etc/system/local/) as well and entries are
[my-onp-front]
TRANSFORMS-drop_noise = heartbeat
and on my local system from where i am pushing the data to splunk server through universal forwarder, its found under ($SPLUNK_HOMESplunkUniversalForwarderetcsystemdefault) and under this there are no entries related to "remotesystemid"
I don't see an [xyz] stanza in your etc/system/local/props.conf file. That means Splunk has no instructions about how to process that sourcetype and won't know how to find the remotesystemid field.
Everything is handling by my system. Logs are placed in my local system. sourcetype is defined in my local system inputs.conf file and i am pushing logs on the server by splunk forwarder from my local system.
Once the logs get to your local system (the indexer), there should be a props.conf file describing how the xyz sourcetype should be handled. The relevant portion of that file will begin with "[xyz]". Please share that text, if it exists. If it doesn't exist, then we've found your problem.
Post a sample of your data so we can help you extract the remotesystemid field.
Now i am getting something by below query but its give me values with "null" column and timeframe column where as time frame column is showing right time and null column showing the right values but i don't need values with null column name so for that I have used stats command with the below query (| stats values(*) as * by remotesysid) but then again it is giving me "no result found"..
index=abc sourcetype=xyz | timechart count by remotesysid
What is the [xyz] stanza of your props.conf file?
sorry but didn't get you? could you please elaborate more?
How is the field "remotesystemid" extracted? You should have an entry in your props.conf file, which is located either in $SPLUNK_HOME/etc/system/local/ or $SPLUNK_HOME/etc/users/yourusername/search/local/ - depending if the field extraction is public or private
Please refer to the link @richgalloway has posted in his comment for further info about the props.conf