topic Why are the values showing wrong stats? in Splunk Search

Why are the values showing wrong stats?

LH_SPLUNK — Mon, 29 Jan 2018 10:10:23 GMT

earliest=-32d@d | search Mode="GoNoGo"  | stats dc(source) by Number | eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A)

Why returns values(A) "Pass" for all entries and

earliest=-32d@d | search Mode="GoNoGo"  |  eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A)
returns "Pass" and "Fail"

Like to use:

earliest=-32d@d | search Mode="GoNoGo"  | stats dc(source) by Number | eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A) with the values "Pass" and "Fail" for A

Re: Why are the values showing wrong stats?

niketn — Mon, 29 Jan 2018 10:39:10 GMT

@LH_SPLUNK could you please describe what is the final output you are trying to get? Do you want to get the count of Fail and Pass? If this is so you should try the following:

<YourBaseSearchWithIndexAndSourceType> source=* earliest=-32d@d Mode="GoNoGo" 
| stats count(eval(source="faulty.csv")) as Fail count(eval(source!="faulty.csv")) as Pass

In your first search, once you run the stats command you are left only with the fields returned by stats i.e. dc(source) and Number. Hence the subsequent eval on source will always be null resulting in A="Pass" for all source which is the default else condition.

PS: | search Mode="GoNoGo" should actually be a part of your base search for query optimization (hope you have index and/or sourcetype defined in your base search.

Re: Why are the values showing wrong stats?

elliotproebstel — Mon, 29 Jan 2018 14:14:56 GMT

Just to expand and clarify for @LH_SPLUNK, since this little nuance bit me more times than I'd like to admit when I first started using Splunk:

| stats dc(source) BY Number

will leave you with two fields. Those fields will be named dc(source) and Number

| stats dc(source) AS source BY Number

will also leave you with two fields. Those fields will be named source and Number.

So although the restructured search that @niketnilay has proposed above is a more efficient way to get the data you're seeking in this case, I thought it would be good to just be really explicit about why the search you crafted was failing. I've found it to be a best practice for me to always add an AS clause when I'm using stats - so all of my searches look something like this: | stats dc(something) AS something, values(another_thing) AS another_thing... because of how many times I wasted energy trying to figure out where my important field went!