Hi,
I need your help,
I have a search like this
index=test sourcetype=XY | stats count(Field1) AS f1 by action="Value1" Field2 | stats count(Field3) AS f3 by action="Value2" Field2 | eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
After running the search there is the Error:
Error in 'stats' command: The argument 'Field100=Value1' is invalid.
Has anyone an Idea how I can change the search that the search is running?
Thanks for your help
index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
hi ,
I need your help to set filter between min and max range.
i have created two dropdown box.
<label>Min value</label>
<choice value="-5">-5</choice>
<choice value="-4">-4</choice>
<choice value="-3">-3</choice>
<choice value="-2">-2</choice>
<choice value="-1">-1</choice>
<choice value="0">0</choice>
<choice value="1">1</choice>
<choice value="2">2</choice>
<choice value="3">3</choice>
<choice value="4">4</choice>
<choice value="5">5</choice>
<default>-10</default>
</input>
<label>Max value</label>
<choice value="-5">-5</choice>
<choice value="-4">-4</choice>
<choice value="-3">-3</choice>
<choice value="-2">-2</choice>
<choice value="-1">-1</choice>
<choice value="0">0</choice>
<choice value="1">1</choice>
<choice value="2">2</choice>
<choice value="3">3</choice>
<choice value="4">4</choice>
<choice value="5">5</choice>
</input>
then create two filter
FILTER score > "$min_score$"
FILTER score < "$max_score$"
---------------------> here i am facing issue in xml parsing for operator less than (<)
this is error :
XML Syntax Error: StartTag: invalid element name,
index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
Also your multiple stats commands will not work, because the first stats command consumes all data that goes into it and only emits whatever fields it calculates.
Perhaps you want something like this?
index=test sourcetype=XY action="Value1" OR action="Value2" | stats count(eval(action=="Value1")) as Field1, count(eval(action=="Value2")) as Field2 | ...
I'm not sure what you're trying to do, but by action="SomeValue"
is not a valid by
clause in stats
. You can only list fields there.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Stats
What are you trying to do?