Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Base Query return 440 events, but stats result is 0

cheriemilk
Path Finder
‎05-07-2020 12:28 AM

Hi team,
I have below query. The base query has 440 events returned, But when I use stats command, tje number is 0. Does the because the special charaters in the string to be matched? How should I correct the string?

(servername=pc* OR host=pc*) AND
sourcetype=access_log_bizx AND
"GET /jsup?m=calibrationOrgDataV12*"
| stats count(eval(searchmatch("GET /jsup?m=calibrationOrgDataV12*"))) as number by SFDC

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-07-2020 03:03 AM 
 | stats count(eval(searchmatch("*calibrationOrgDataV12*"))) as number by SFDC

Searchmatch had you searching for
"GET /jsup?m=calibrationOrgDataV12*" and "/jsup?m" is not a field name in your data.

0 Karma
Reply

cheriemilk
Path Finder
‎05-11-2020 07:42 PM

@jkat54
probably not as it works for me with other query before

0 Karma
Reply

rkyadav
Path Finder
‎05-07-2020 02:36 AM

@cheriemilk ,
by-clause will make this resolve.

check out field by SFDC , this makes results vary as you have added "by SFDC" . Thats the reason event count does not match stats count.

Try removing the "by SFDC " from your search query , it fetch the results.

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats

by-clause
Syntax: BY
Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

hope this is useful.

0 Karma
Reply

cheriemilk
Path Finder
‎05-11-2020 07:41 PM

@rkyadav ,

I removed 'by SFDC', and it returned 1 row with result is 0 as well.

I tried to escape the '=' in the query by '\m', and it returned result to me. 

stats count(eval(searchmatch("GET /jsup?m\=calibrationOrgDataV12*"))) as number by SFDC

Why?

0 Karma
Reply

to4kawa
Ultra Champion
‎05-11-2020 08:09 PM

searchmatch use REGEX.

strings GET /jsup?m\=calibrationOrgDataV12* is match GET /jsum=calibrationOrgDataV1
not ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...