https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187344#M53968 <P>Case 1:</P> <PRE><CODE>index=xyz | rex "(?i)&lt;ticketId&gt;(?P&lt;TICKETID&gt;[^&lt;;]+)" | stats values(TICKETID) as TICKETID by processname | where TICKETID NOT NULL </CODE></PRE> <P>TICKET ID - numeric eg : 23517727<BR /> processname - string eg : abc</P> <P>I am trying to fetch TICKET ID details by distinct values of processname using the search above. It displays "no results found". </P> <P>Case 2:<BR /> For the above search, if I remove the where clause, it displays both the processname and TICKETID columns where TICKETID column is empty.</P> <P>Case 3: </P> <PRE><CODE>index=xyz | rex "(?i)&lt;ticketId&gt;(?P&lt;TICKETID&gt;[^&lt;]+)" | stats values(TICKETID) as TICKETID by id | where TICKETID NOT NULL </CODE></PRE> <P>id - string eg: 143543337d5ea380261d5b318186dc4a28db9edb0</P> <P>It gives me the results of distinct values of id with corresponding TICKETID values. I want the case 1 in this format.</P> <P>-- id is a kind of primary key in this scenario where as processname isn't.</P> <P>I am new in using splunk. Please do help me asap.</P> <P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 30 Jun 2015 20:27:37 GMT gunturu_nagasri 2015-06-30T20:27:37Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187344#M53968 <P>Case 1:</P> <PRE><CODE>index=xyz | rex "(?i)&lt;ticketId&gt;(?P&lt;TICKETID&gt;[^&lt;;]+)" | stats values(TICKETID) as TICKETID by processname | where TICKETID NOT NULL </CODE></PRE> <P>TICKET ID - numeric eg : 23517727<BR /> processname - string eg : abc</P> <P>I am trying to fetch TICKET ID details by distinct values of processname using the search above. It displays "no results found". </P> <P>Case 2:<BR /> For the above search, if I remove the where clause, it displays both the processname and TICKETID columns where TICKETID column is empty.</P> <P>Case 3: </P> <PRE><CODE>index=xyz | rex "(?i)&lt;ticketId&gt;(?P&lt;TICKETID&gt;[^&lt;]+)" | stats values(TICKETID) as TICKETID by id | where TICKETID NOT NULL </CODE></PRE> <P>id - string eg: 143543337d5ea380261d5b318186dc4a28db9edb0</P> <P>It gives me the results of distinct values of id with corresponding TICKETID values. I want the case 1 in this format.</P> <P>-- id is a kind of primary key in this scenario where as processname isn't.</P> <P>I am new in using splunk. Please do help me asap.</P> <P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 30 Jun 2015 20:27:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187344#M53968 gunturu_nagasri 2015-06-30T20:27:37Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187345#M53969 <P>Please share some sample data so we can put your fields into context.</P> Tue, 30 Jun 2015 20:37:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187345#M53969 richgalloway 2015-06-30T20:37:17Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187346#M53970 <P>Like this:</P> <P>Case 1 and 2:</P> <PRE><CODE> index=xyz | rex "(?i)&lt;ticketId&gt;(?&lt;TICKETID&gt;[^&lt;;]+)" | stats values(TICKETID) as TICKETID by processname | where isnotnull(TICKETID) </CODE></PRE> <P>Case 3:</P> <PRE><CODE> index=xyz | rex "(?i)&lt;ticketId&gt;(?&lt;TICKETID&gt;[^&lt;]+)" | stats values(TICKETID) as TICKETID by id | where isnotnull(TICKETID) </CODE></PRE> Tue, 30 Jun 2015 21:13:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-fetch-data-by-using-column-names/m-p/187346#M53970 woodcock 2015-06-30T21:13:11Z