Eventstats not returning expected results

smruti13 · ‎10-04-2020

Hi Splunk Gurus!

I have come across an absurd issue where my eventstats is not recognizing the field value.

Sample Problem:

Field1	source
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv

query:

|eventstats dc(source) as check by Field1

expected o/p:

Field1	source	check
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv	1

current o/p:

Field1	source	check
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv

Additional Info: I have the following message in my Splunk- Failed to register with cluster master... (not sure if its got something to do with the problem )

Any help is appreciated !

Thanks 🙂

thambisetty · ‎10-05-2020

This looks strange for me. I have just tried with same field Field1 and its working as expected. I was thinking there could be an issue with an integer post fixed to the field.

you can try couple things:

filter to get Record1. search Field1="Record1"

enclose Field1 in double quotes : |eventstats dc(source) as check by "Field1"

just add | fields Field1 to see whether you are seeing this field.

can you run eventstats for other events and see if thats working.

————————————
If this helps, give a like below.

Eventstats not returning expected results

fields

stats

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Eventstats not returning expected results

fields

stats

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I