Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Error after stats command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need your help,
I have a search like this
index=test sourcetype=XY | stats count(Field1) AS f1 by action="Value1" Field2 | stats count(Field3) AS f3 by action="Value2" Field2 | eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
After running the search there is the Error:
Error in 'stats' command: The argument 'Field100=Value1' is invalid.
Has anyone an Idea how I can change the search that the search is running?
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi ,
I need your help to set filter between min and max range.
i have created two dropdown box.
<label>Min value</label>
<choice value="-5">-5</choice>
<choice value="-4">-4</choice>
<choice value="-3">-3</choice>
<choice value="-2">-2</choice>
<choice value="-1">-1</choice>
<choice value="0">0</choice>
<choice value="1">1</choice>
<choice value="2">2</choice>
<choice value="3">3</choice>
<choice value="4">4</choice>
<choice value="5">5</choice>
<default>-10</default>
</input>
<label>Max value</label>
<choice value="-5">-5</choice>
<choice value="-4">-4</choice>
<choice value="-3">-3</choice>
<choice value="-2">-2</choice>
<choice value="-1">-1</choice>
<choice value="0">0</choice>
<choice value="1">1</choice>
<choice value="2">2</choice>
<choice value="3">3</choice>
<choice value="4">4</choice>
<choice value="5">5</choice>
</input>
then create two filter
FILTER score > "$min_score$"
FILTER score < "$max_score$"
---------------------> here i am facing issue in xml parsing for operator less than (<)
this is error :
XML Syntax Error: StartTag: invalid element name,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=test sourcetype=XY|eval action="Value1" | stats count(Field1) AS f1 by action, Field2 | appendcols [search index=test sourcetype=XY|eval action="Value2" |stats count(Field3) AS f3 by action, Field2]| eval sum=Field1+Field2 | eval pro1=Field1/sum*100 | eval pro2=Field3/sum*100 | table Field2 f1, pro1, f3, p2, sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also your multiple stats commands will not work, because the first stats command consumes all data that goes into it and only emits whatever fields it calculates.
Perhaps you want something like this?
index=test sourcetype=XY action="Value1" OR action="Value2" | stats count(eval(action=="Value1")) as Field1, count(eval(action=="Value2")) as Field2 | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you're trying to do, but by action="SomeValue" is not a valid by clause in stats. You can only list fields there.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Stats
What are you trying to do?
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
