Stats Max issue

willadams · ‎10-22-2019

I have a query that I am running using dbxquery for specific reasons. Anyway I have run into an interesting issue that I can't seem to put my finger on

My First Query is through SPLUNK 7.2.3 with DBConnect 2.1.4

| dbxquery query="SELECT * FROM \"AppList\".\"dbo\".\"SPLNK_MyTable\"" connection="ApplicationX" wrap=t 
| fields - _raw _time 
| rename "Computer name" AS "name" 
| rename "App File used" AS "App File" 
| rename "Last check-in (GMT)" AS "Last Check In" 
| rename "App Distri" AS "App Version" 
| rename "APPLICATION STATUS" AS "status" 
| eval LastCheckInEpoch=strptime("Last Check In", "%Y-%m-%d %H:%M:%S.%1Q") 
| where (LastCheckInEpoch>= relative_time(now(), "-30d@d") AND LastCheckInEpoch<= now()) 
| stats max(status) as status by name, "App File", "Last Check In", "AppVersion" | eval name=upper(name)

I get results and statistics is happy in his instance.

However running this on SPLUNK 7.2.6 with DBConnect 3.13 I get 0 results. I can't see why. Any suggestions?

willadams · ‎10-22-2019

As suggested by to4kawa the where statement looks like it is not working. On checking my strptime command, I noted that I had %Y-%m-%d %H:%M:%S.%1Q but on adjusting this to %Y-%m-%d %H:%M:%S.%3Q, this seems to have done the trick. I also noted that one of my renames had a lower case instead of an upper case which caused it to break as well.

willadams · ‎10-22-2019

I also had to remove "wrap=t"

Stats Max issue

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life