Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Order of Search terms - Does it matter?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Order of Search terms - Does it matter?
Recently I was working on a lab module 12 - question 22: Search the web application data for all events where a user purchased a product successfully. Use the stats sum function to sum the Price field by ProductName. Name the resulting field Revenue.
Originally I typed the following query but did not get any results:
index=main sourcetype=access_combined_wcookie status=200 file=success.do | stats sum(Price) as Revenue by ProductName (I tried it both with quotes and without quotes around "access_combined_wcookie)
I tried a few things before I scrolled down to see if the answer was any different and I discovered that it was. The only difference that I saw in my opinion do not seem to me like they should affect the results that are returned. Can anyone provide some insight into why the order of the search terms would matter or is this a weird fluke?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Order of search terms before the first pipe is generally irrelevant. (Always irrelevant, if you use proper parenthesis around ORs and ANDs)
Here's what to check -
1) If you add ProductName=* to the first search, before the pipe, then pipe it to the | head 1 command, and delete the rest of the search, then you can make sure there is underlying data. This is the first thing to check when debugging, and will detect and demonstrate any time span or capitalization problems in the underlying search.
2) Check your time constraints. When doing these modules, often the data is getting stale by the time you are in the later modules.
3) Check your capitalization. Splunk is mostly case-sensitive.
4) When you stats by a field that does not exist, you get no results. The above steps will help you eliminate that potential issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this is what didn't make sense to me. You said what I thought, search term order before first pipe shouldn't matter. This is the query that ended up working (I had time constraints set to all time for all tries)
index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as Revenue by ProductName
I don't think the quotes and the switching file= and status= around should matter. The above query should return the same results as the one I posted in my original question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you kindly provide some more context ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as Revenue by ProductName
I don't think the quotes and the switching file= and status= around should matter. The above query should return the same results as the one I posted in my original question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the suggested query?
If this reply helps you, Karma would be appreciated.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
