Re: Eventstats not returning expected results

smruti13 · ‎10-04-2020

Hi Splunk Gurus!

I have come across an absurd issue where my eventstats is not recognizing the field value.

Sample Problem:

Field1	source
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv

query:

|eventstats dc(source) as check by Field1

expected o/p:

Field1	source	check
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv	1

current o/p:

Field1	source	check
(Blank)	dummy_source.csv
Record1	dummy2_cource.csv

Additional Info: I have the following message in my Splunk- Failed to register with cluster master... (not sure if its got something to do with the problem )

Any help is appreciated !

Thanks 🙂

thambisetty · ‎10-05-2020

This looks strange for me. I have just tried with same field Field1 and its working as expected. I was thinking there could be an issue with an integer post fixed to the field.

you can try couple things:

filter to get Record1. search Field1="Record1"

enclose Field1 in double quotes : |eventstats dc(source) as check by "Field1"

just add | fields Field1 to see whether you are seeing this field.

can you run eventstats for other events and see if thats working.

————————————
If this helps, give a like below.

Eventstats not returning expected results

fields

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation