Solved: why my eval strptime(substr()) field is not create...

mah · ‎10-29-2020

Hi,

I have a search like this :

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| stats count(eval(Statut=="OK")) as OK count(eval(Statut=="KO")) as KO count(Statut) as TOTAL by horodate

This search works good with time picker "last 24h" :

but not with the time picker "Today" : it returns "no results found" whereas I have 3 events ...

I found that the

can you help me please ?

mah · ‎10-29-2020

Yes, It is as I said : all values in all fields was twice.

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

And finally my beginning query works well !

Thank you for your help.

View solution in original post

ITWhisperer · ‎10-29-2020

How many Statut fields do you have in interesting fields and what are their values?

mah · ‎10-29-2020

hi @ITWhisperer

just one field Statut and 2 values OK,KO :

ITWhisperer · ‎10-29-2020

Sometimes stats has difficulty counting evals

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate

mah · ‎10-29-2020

What I have just notice is that all values of each field appear twice :

my props :

[B]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
INDEXED_EXTRACTIONS = json
TIME_PREFIX = Horodate

ITWhisperer · ‎10-29-2020

Try trimming Statut

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=trim(Statut)
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate

mah · ‎10-29-2020

hi @ITWhisperer

I tried with the eval trim :

and I removed the "by horodate" , the TOTAL is again nonsense :

mah · ‎10-29-2020

hi @ITWhisperer

It doesn't work :

more weird, if I remove "by horodate" I get result BUT with nonsense TOTAL :

and same issue, when I run:

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")

I don't see a field "horodate" in my "Interesting fields":

ITWhisperer · ‎10-29-2020

Try removing empty values from Statut

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=mvfilter(match(Statut,"\S+"))
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate

mah · ‎10-29-2020

No still same problem :

the thing you have to understand is that the problem is at this level in the command :

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")

the substr does not work.

ITWhisperer · ‎10-29-2020

Hi @mah

Given that Statut is a multi-value field, perhaps the same is true for Horodate. Please try

index="test" sourcetype="B"
| dedup Id
| stats count(Horodate)

Also, you could try

index="test" sourcetype="B"
| dedup Id
| eval Horodate=mvfilter(match(Horodate,"\S+"))
| eval Horodate=trim(Horodate)
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=mvfilter(match(Statut,"\S+"))
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate

mah · ‎10-29-2020

Yes, It is as I said : all values in all fields was twice.

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

And finally my beginning query works well !

Thank you for your help.

why my eval strptime(substr()) field is not created ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

why my eval strptime(substr()) field is not created ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions