Splunk Search

Error after stats command

hoerberm
New Member

Hi,

I need your help,

I have a search like this

index=test sourcetype=XY | stats count(Field1) AS f1 by action="Value1" Field2 | stats count(Field3) AS f3 by action="Value2" Field2  | eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum

After running the search there is the Error:
Error in 'stats' command: The argument 'Field100=Value1' is invalid.

Has anyone an Idea how I can change the search that the search is running?

Thanks for your help

Tags (3)
0 Karma
1 Solution

fdi01
Motivator

index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum

View solution in original post

pragycho
Loves-to-Learn

hi ,
I need your help to set filter between min and max range.
i have created two dropdown box.

  <label>Min  value</label>
  <choice value="-5">-5</choice>
  <choice value="-4">-4</choice>
  <choice value="-3">-3</choice>
  <choice value="-2">-2</choice>
  <choice value="-1">-1</choice>
  <choice value="0">0</choice>
  <choice value="1">1</choice>
  <choice value="2">2</choice>
  <choice value="3">3</choice>
  <choice value="4">4</choice>
  <choice value="5">5</choice>

  <default>-10</default>
</input>


  <label>Max value</label>

  <choice value="-5">-5</choice>
  <choice value="-4">-4</choice>
  <choice value="-3">-3</choice>
  <choice value="-2">-2</choice>
  <choice value="-1">-1</choice>
  <choice value="0">0</choice>
  <choice value="1">1</choice>
  <choice value="2">2</choice>
  <choice value="3">3</choice>
  <choice value="4">4</choice>
  <choice value="5">5</choice>    
</input>

then create two filter
FILTER score > "$min_score$"
FILTER score < "$max_score$"
---------------------> here i am facing issue in xml parsing for operator less than (<)
this is error :
XML Syntax Error: StartTag: invalid element name,

0 Karma

fdi01
Motivator

index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum

View solution in original post

Ayn
Legend

Also your multiple stats commands will not work, because the first stats command consumes all data that goes into it and only emits whatever fields it calculates.

Perhaps you want something like this?

index=test sourcetype=XY action="Value1" OR action="Value2" | stats count(eval(action=="Value1")) as Field1, count(eval(action=="Value2")) as Field2 | ...
0 Karma

aweitzman
Motivator

I'm not sure what you're trying to do, but by action="SomeValue" is not a valid by clause in stats. You can only list fields there.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Stats

What are you trying to do?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!