Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A particular search result is not showing up in | stats count output. Very wierd.

agoktas
Communicator
‎02-13-2015 02:44 PM

Hello,

Here is my search: 

index=app_win source=service State=Stopped StartMode (Auto OR Manual) 
Name (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*) OR
Description (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*) OR
DisplayName (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*)
NOT (Description=*Collec* OR *EnvAdmin*) | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

Most of the results show up in my table output, but some of the results do not (FTR... ALL results DO show up in the raw search results, so we are 100% sure it is picking up that data. It simply doesn't want to graph it as part of the 'chart' output).

Any ideas why?

Example of the raw data of one that does NOT show: 

Type=Service 
Name="MailService" 
DisplayName="IBM Rational ClearQuest Mail Service" 
Description= 
Path=""C:\Program Files (x86)\IBM\RationalSDLC\ClearQuest\mailservice.exe"" 
ServiceType="Own Process" 
StartMode="Auto" 
Started=false 
State="Stopped" 
Status="OK" 
ProcessId=0
Collapse

host = 
source = service
sourcetype = WinHostMon

Example of one that DOES show: 

Type=Service 
Name="IBMWAS70Service - ContentEngine" 
DisplayName="IBM WebSphere Application Server V7.0 - ContentEngine" 
Description="Controls the running of an IBM WebSphere Application Server V7.0 server named: FileNet_Server_1_CE-"
Path=""C:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS70Service - ContentEngine"" ServiceType="Own Process" StartMode="Manual" 
Started=false 
State="Stopped" 
Status="OK" 
ProcessId=0
Collapse

host = 
source = service
sourcetype = WinHostMon

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎02-24-2015 04:56 PM

In your search, you're grouping by "DisplayName StartMode host Description".

I imagine you removed the "host" value to place the question here right? But if look closely, the first event doesn't have a "Description" value, and "stats" will simply ignore the event. The work around might be just adding a fillnull command before the stats, like this:

your_search | fillnull DisplayName StartMode host Description | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

The fill null will populate with "0" by default, but you could change to any value, like fillnull -value "Not present" fieldName. Hope it helps!

Cheers,
Mike

View solution in original post

Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎02-24-2015 04:56 PM

In your search, you're grouping by "DisplayName StartMode host Description".

I imagine you removed the "host" value to place the question here right? But if look closely, the first event doesn't have a "Description" value, and "stats" will simply ignore the event. The work around might be just adding a fillnull command before the stats, like this:

your_search | fillnull DisplayName StartMode host Description | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

The fill null will populate with "0" by default, but you could change to any value, like fillnull -value "Not present" fieldName. Hope it helps!

Cheers,
Mike

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎02-24-2015 07:02 PM

I agree this is the likely problem. You could readily validate by enabling to show the Description field in the event listing, and seeing if it is present on that event.

Reply
Solved! Jump to solution

agoktas
Communicator
‎02-25-2015 09:09 AM

Yeppers! Thank you so much.

Yes, I simply added...
| fillnull value=NULL |
and all is now good.

Here is a search example:

index=app_win source=service State=Stopped StartMode (Auto OR Manual)
Name (IBM OR VW OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
Description (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
DisplayName (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm)
| fillnull value=NULL | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

Reply
Solved! Jump to solution

agoktas
Communicator
‎02-18-2015 11:00 AM

I noticed that the ones that don't show up in the stats output table are ones that do not have a description.

Can anyone explain why this happens, and what I should correct?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...