Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count not showing up for events

kmm2
Path Finder
‎08-15-2024 10:48 AM

I am not seeing results for count on each of the fields for the 2 different searches below:   The first one shows the (lets say 3 storefront names  ) with no counts.  If I just run a | stats count by Storefront it returns with the correct number of counts.  The  fields are created in statistics with no counts or names of the the netscalers, site, or user.   The second search does not return any statistical results.  Hoping to see the count of connections to the Storefront and its correlating NetScaler in a Sankey diagram.  

 

| stats count by Storefront
| rename Storefront as source
| appendpipe [ stats count by Netscaler | rename Netscaler as source, count as count_Netscaler ]
| appendpipe [ stats count by site | rename site as source, count as count_site ]
| appendpipe [ stats count by UserName | rename UserName as source, count as count_UserName ]
| fields source, count_Netscaler, count_site, count_UserName
| search source=*

 

 

| stats count by Storefront
| rename Storefront as source
| appendpipe [ stats count by Netscaler | rename Netscaler as source, Storefront as target ]
| appendpipe [ stats count by site | rename site as source, Netscaler as target ]
| appendpipe [ stats count by UserName | rename UserName as source, site as target ]
| search source=* AND target=*
| stats sum(count) as count by source, target
| fields source, target, count

Labels (1)
Labels
0 Karma
Reply

kmm2
Path Finder
‎08-15-2024 12:07 PM

a few hundred

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-15-2024 12:15 PM

Well, safest way to get those values would be probably to either use summary indexing or schedule separate searches for each count and then append their results with loadjob.

But if your fields are easily obtainable with PREFIX, you could use tstats to do quick separate tstats-based searches and append them together.

You could also - as I said earlier try to simply do count by all of those four parameters and then do eventstats but that might give you too many results to aggregate (if every user can hit each netscaler, each site and so on, that can get into relatively high numbers; but might be worth a try).

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-15-2024 11:45 AM

Searches using subsearches (maybe with an exception of multisearch) are extremely tricky to troubleshoot due to limits on subsearches.

That seems to be a very weird way to calculate four separate statistics using some syntactic "glue".

What is the cardinality of each of your sources/targets? (Netscaler, site, UserName, Storefront)

Maybe it would be more natural to just do a simple count over all of them and then simply eventstats sum over some combinations?

0 Karma
Reply

kmm2
Path Finder
‎08-15-2024 11:52 AM

Each user has a unique sessionid that connects to one Storefront, on netscaler, and one site.     Let dig into eventstatus.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-15-2024 12:00 PM

Yes, but you're (luckliy) not counting by sessionID. You're counting by other stuff - storefront, netscaler, site and user. I suppose the user field will have most values. Question is how many - hundreds? Thousands? Millions?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...