topic debugging when columns are not filled out in Splunk Search

debugging when columns are not filled out

tb5821 — Fri, 09 Nov 2018 14:26:39 GMT

How does one debug searches when you expect a column to be filled out yet its not?

sourcetype=mongo_stats 
| streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace
| eval diffoflastchange=now()-time_of_last_change
| eval HH:MM:SS_since_last_change=tostring(diffoflastchange,"duration")
| rename count as current_count 
| fieldformat current_count=tostring(current_count,"commas") 
| table namespace current_count  HH:MM:SS_since_last_change lastChange | addcoltotals current_count | dedup namespace  | sort -current_count

for some reason the only columns I get are namespace and current count - the others are all blank but the logic to calculate the others looks right!

Re: debugging when columns are not filled out

kmaron — Fri, 09 Nov 2018 14:37:45 GMT

In my experience it's best to strip down to the first piece and make sure it works then add back a piece at a time. so start with your streamstats and make sure its giving you what you expect.

 sourcetype=mongo_stats 
 | streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace

is count a field that already exists in your sourcetype? if not you'll need a stats to do your counting before the streamstats.

Re: debugging when columns are not filled out

tb5821 — Fri, 09 Nov 2018 14:54:28 GMT

yes it exists - problem seems to be that it can't tie the eval fields to the right namespace field?