topic Re: help on a stats command with a filter token in Splunk Search

help on a stats command with a filter token

jip31 — Tue, 30 Mar 2021 09:27:27 GMT

hello

I use the search below which works fine

`fiability` | fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER | search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") | search (ProductName=*) | stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName | rename ProductName as Product | sort -"Number of crashes"

The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields

Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName

So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality

And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName

What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)

Could you help me please?

Re: help on a stats command with a filter token

richgalloway — Tue, 30 Mar 2021 12:17:45 GMT

Use the values function of stats to get all values of RESPONSIBLE_USER

... | stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName ...

Re: help on a stats command with a filter token

jip31 — Wed, 31 Mar 2021 12:19:44 GMT

I have already done this and it works if I put the token before the stats command

| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE* | stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName

but.....

For this search, I use a scheduled search

So it means that I use my filter token after the loadjob command

| loadjob savedsearch="admin:XXXX:YYYYY" | search RESPONSIBLE_USER=$tok_filterresponsible|s$

And in this case I am unable to filter on the good RESPONSIBLE_USER....

Re: help on a stats command with a filter token

richgalloway — Wed, 31 Mar 2021 13:48:40 GMT

The values function may produce a multi-value field that requires using the mvfind function to search.

Re: help on a stats command with a filter token

jip31 — Fri, 09 Apr 2021 10:02:00 GMT

Have you an example please?

Re: help on a stats command with a filter token

richgalloway — Fri, 09 Apr 2021 16:03:02 GMT

| loadjob savedsearch="admin:XXXX:YYYYY" | where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string. If successful, it returns an index into the field; otherwise, it returns NULL.