- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Internal field `_serial` is gone in v6.2.3; why?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I only just found out about the existence of the internal _serial field which should be equal to the row-number less 1 (e.g. first row has _serial value of 0, second row has _serial value of 1, etc.) but no matter what I do, I cannot get examples that have been posted here before that use _serial to work. What is the deal with _serial? When did it go away and was it deliberate or a bug?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:
... | streamstats current=f count AS _serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the comment by @acharlieh I went back and played around and have concluded that _serial only exists for the first set of events that are returned (whatever is under the events tab). Evidently _serial is destroyed by doing any other commands which modify the initial result-set in any way, never to be recalculated. This is extremely unfortunate since this makes _serial pretty much useless. My situation was that I was hoping to use it after doing a stats command but it is gone by then. To remedy this, I regenerated _serial myself like this instead:
... | streamstats current=f count AS _serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I upgraded a 6.2.1 instance to 6.2.3 and I'm able to still see _serial and other hidden fields in results doing a search like index=_internal | fields - _raw | rename _* as *_x | table *_x That said, _serial and other hidden fields can be altered and destroyed by transforming commands. So the question is what examples are you trying that seem to not be working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never heard of this field. What is the notion of row number in splunk ?
was it for CSV files ? Because this is gone since the 6.* and the INDEXED_EXTRACTIONS.
In case the field is there but hidden, try :
- try to cast it in a field with an eval first.
<my search> | eval serial=_serial | table serial _raw
or maybe try to add it to the fields.conf
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
