Building for the Splunk Platform

Field names showing in table as field everytime I run a search

marvinlee93
Explorer

alt text

Hi,

index="alarm" sourcetype="DATAcombined" |streamstats avg(alarmcount) as avg stdev(alarmcount) as stdev |eval threeSigmaLimit = (avg + (stdev * 3)) | where alarmcount > threeSigmaLimit | table _time alarmcount by index2

Above is my search code. And I'm just wondering why my table will show the 'FIELDNAMES' in my table as 'FIELDS' everytime I run my code (Real-time). Anybody has any idea why?

Regards,
Marvin Lee

Tags (1)
0 Karma

marvinlee93
Explorer

alt text

Hi Rich, I've tried the code new code but still getting the same error. However, I've found something interesting. Whenever I refresh the table, since I'm pumping in real-time data, the values of threeSigma limit,average and StandardDev changes. And some indexes disappears (mostly the lower indexes: 50, 108). I suspect that it is due to the streamstats command??? From what I know, the streamstats should only affect the 'latest' field right?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Could you provide a screenshot of "show the 'FIELDNAMES' in my table as 'FIELDS'" ?

All I see in your posted screenshot is exactly what I expect, although you have by in there probably accidentally.

0 Karma

marvinlee93
Explorer

I remove the 'by'. But everytime I run the search, sending in real time data, it will print alarmcount and index2.

0 Karma

Richfez
SplunkTrust
SplunkTrust

OH!

Ha, I see now. You have the field contents - the actual word 'alarmcount' and 'index2' in there! Sorry, that sort of ... I must have just looked right over it. 😞

Hmmm.....

Can you try

index="alarm" sourcetype="DATAcombined" |streamstats avg(alarmcount) as average stdev(alarmcount) as standarddev |eval threeSigmaLimit = (average  + (standarddev  * 3)) | where 'alarmcount' > 'threeSigmaLimit' | table _time alarmcount index2 threeSigmaLimit average standarddev

Specifically, I've added single-quotes around the two variables in the where, changed the name of stdev and avg to non-keywords, and added extra fields to the display.

What I want to see is if a) the problem goes away (because of the quotes now) and if it doesn't, what are the values of average and standarddev when it is wrong?

If it goes away, I expect it's the quotes - try changing one thing at a time back and see if we can narrow down just what the problem is.

0 Karma

marvinlee93
Explorer

Hi Rich. I have replied you as a comment below. I've have not really found the reason why the alarm count and index is showing? but I realized that the StandardDev and Average is changing for the same index everytime I refresh the table. It's supposed to be static. I suspect that it might be due to the streamstats command. From my knowledge, the streamstats command should only change the 'LATEST' field value right?

And I realized that, whenever I start a new search, it uses the previous average,3sigmalimit and standarddev VALUE as the initial value and that's when the 'ALARMCOUNT and INDEX2' appears.

Is there a way to prevent this? The initial value of average should only start counting from the 2nd index. and for Standard Deviation, the initial value should only start after the 3rd index.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...