topic Unfamiliar Syntax in Query in Splunk Search

Unfamiliar Syntax in Query

inovexsean — Thu, 31 Jan 2019 14:30:28 GMT

I have a query, written by someone else, that I'm trying to understand: tstats count as count sum(sessionLength) as volume where (index=accm_*) name="John",selectors{}.category{}=* by selectors{}.categories{}, |.... I can not find a reference anywhere for the selectors{}.category{}. Could someone please point me in the right direction? Thanks.

Re: Unfamiliar Syntax in Query

mayurr98 — Thu, 31 Jan 2019 14:41:12 GMT

First of all are you getting output? query fails here itself at index-accm_* it should be index=accm_* can you paste entire query in 101010 sample code format.

Re: Unfamiliar Syntax in Query

inovexsean — Thu, 31 Jan 2019 14:51:07 GMT

Sorry, that was a typo on my part. Due to sensitivity I cannot copy paste the entire query.

Re: Unfamiliar Syntax in Query

mayurr98 — Thu, 31 Jan 2019 14:58:31 GMT

okay now it looks better so if you look the raw data in verbose mode that is type this search query index=accm_* name=* you should see a field name selectors{}.categories{}.

You are basically doing event count and sum of session length by categories(values in the selectors{}.categories{} field )

Re: Unfamiliar Syntax in Query

inovexsean — Thu, 31 Jan 2019 15:07:34 GMT

Okay, so that's just some kind of internal field name that you only see when verbose mode is enabled. Thank you.

Re: Unfamiliar Syntax in Query

mayurr98 — Thu, 31 Jan 2019 15:09:41 GMT

yeah the query is written in tstats (which will not allow you to look at the raw data and is basically use for faster processing of searches when data model acceleration is ON)