Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why my eval strptime(substr()) field is not created ?

mah
Builder
‎10-29-2020 02:15 AM

Hi,

I have a search like this :

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| stats count(eval(Statut=="OK")) as OK count(eval(Statut=="KO")) as KO count(Statut) as TOTAL by horodate

This search works good with time picker "last 24h" :

mah_3-1603962754559.png

 

but not with the time picker "Today" : it returns "no results found" whereas I have 3 events ... 

mah_4-1603962886700.png

 

mah_1-1603962548398.png

I found that the  

mah_2-1603962684423.png

can you help me please ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mah
Builder
‎10-29-2020 06:44 AM

Yes, It is as I said : all values in all fields was twice. 

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

mah_0-1603978987208.png

And finally my beginning query works well !

Thank you for your help. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2020 02:20 AM

How many Statut fields do you have in interesting fields and what are their values?

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-29-2020 02:25 AM

hi @ITWhisperer 

just one field Statut and 2 values OK,KO :

mah_0-1603963544292.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2020 02:37 AM

Sometimes stats has difficulty counting evals

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-29-2020 03:22 AM

What I have just notice is that all values of each field appear twice :

mah_0-1603966955419.png

my props : 

[B]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
INDEXED_EXTRACTIONS = json
TIME_PREFIX = Horodate

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2020 03:30 AM

Try trimming Statut

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=trim(Statut)
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-29-2020 03:48 AM

hi @ITWhisperer 

I tried with the eval trim : 

mah_0-1603968445086.png

and I removed the "by horodate" , the TOTAL is again nonsense : 

mah_1-1603968494750.png

 

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-29-2020 02:56 AM

hi @ITWhisperer 

It doesn't work : 

mah_0-1603965215640.png

more weird, if I remove "by horodate" I get result BUT with nonsense TOTAL :

mah_1-1603965288640.png

and same issue, when I run:

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")

I don't see a field "horodate" in my "Interesting fields":

mah_2-1603965352223.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2020 04:09 AM

Try removing empty values from Statut

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=mvfilter(match(Statut,"\S+"))
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎10-29-2020 05:56 AM

No still same problem :

mah_0-1603976108605.png

 

the thing you have to understand is that the problem is at this level in the command : 

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")

the substr does not work. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2020 06:24 AM

Hi @mah 

Given that Statut is a multi-value field, perhaps the same is true for Horodate. Please try 

index="test" sourcetype="B"
| dedup Id
| stats count(Horodate)

Also, you could try

index="test" sourcetype="B"
| dedup Id
| eval Horodate=mvfilter(match(Horodate,"\S+"))
| eval Horodate=trim(Horodate)
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| eval Statut=mvfilter(match(Statut,"\S+"))
| eval OK=if(Statut="OK",1,0)
| eval KO=if(Statut="KO",1,0)
| stats sum(OK) as OK sum(KO) as KO count(Statut) as TOTAL by horodate

 

0 Karma
Reply
Solved! Jump to solution
Solution

mah
Builder
‎10-29-2020 06:44 AM

Yes, It is as I said : all values in all fields was twice. 

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

mah_0-1603978987208.png

And finally my beginning query works well !

Thank you for your help. 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...