topic Re: How to use stats in multiple Condition and fields ? in Splunk Search

How to use stats in multiple Condition and fields ?

karthi2809 — Thu, 21 Mar 2024 11:50:18 GMT

Hi Guys,

I am trying fetch details using stats.In this query I am trying get status from the below conditions and when i am populating in the table.The ProccesMsg has some values but in failure conditions i will add message in the result so i used coalesec to map both the result and need to populate in the table.But i cant able to populate the result.What mistake i did here.

index="mulesoft" applicationName="ext" environment=DEV (*End of GL-import flow*) OR (message="GLImport Job Already Running, Please wait for the job to complete*") OR (message="process - No files found for import to ISG") |rename content.File.fstatus as Status|eval Status=case( like('Status' ,"%SUCCESS%"),"SUCCESS",like('Status',"%ERROR%"),"ERROR",like('message',"%process - No files found for import to ISG%"), "ERROR",like('message',"GLImport Job Already Running, Please wait for the job to complete"), "WARN") | eval ProcessMsg= coalesce(ProcessMsg,message) |stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" by correlationId |table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId

Re: How to use stats in multiple Condition and fields ?

ITWhisperer — Thu, 21 Mar 2024 11:58:40 GMT

It looks like you have an eval for ProcessMsg, immediately followed by a stats command which overwrites the same field - is this your issue?

Re: How to use stats in multiple Condition and fields ?

yuanliu — Fri, 22 Mar 2024 07:58:10 GMT

You need to clarify the problem in search result as well as explain/illustrate your raw data. "Can't populate result" can have a million different meanings. Do you mean to say that you get a completely blank table, i.e., no results at all? If this is the case, you probably do not have a field named correlationId in your raw data.

Or do you mean values(content.File.fprocess_message) as ProcessMsg gives all null output? You cannot expect volunteers to read your mind. Explain in no ambiguous terms.

You speak about ProessMsg but it is not obvious whether a field named "ProcessMsg" exists in raw data, despite a suggestion of that coalesce function. Again, you cannot just ask volunteers to speculate from your code (aka mind-reading) what raw data look like.

Importantly, as @ITWhisperer questioned, why go through all the trouble of coalescing if you are going to discard it, then use field name ProcessMsg to store output of a stats function, as indicated in values(content.File.fprocess_message) as ProcessMsg? Most importantly, what is content.File.fprocess_message? Do you have evidence that this field even has value?

Do you really mean

index="mulesoft" applicationName="ext" environment=DEV (*End of GL-import flow*) OR (message="GLImport Job Already Running, Please wait for the job to complete*") OR (message="process - No files found for import to ISG") |rename content.File.fstatus as Status |eval Status=case( like('Status' ,"%SUCCESS%"),"SUCCESS",like('Status',"%ERROR%"),"ERROR",like('message',"%process - No files found for import to ISG%"), "ERROR",like('message',"GLImport Job Already Running, Please wait for the job to complete"), "WARN") | eval ProcessMsg= coalesce(ProcessMsg,message) |stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(ProcessMsg) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" by correlationId |table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId