Help with stats building a wrong result on my tabl...

fpedrosa · ‎10-27-2022

Hello,

I have a lots of records, some one has account_id field filled.. others has org_id field filled, and some ones both filled.... I'm trying to bring the table both field (account_id and org_id) but, when I put the org_id into the stats by, bring only a few records, If I remove it, bring all the records, whats I'm doing wrong?

Thanks !

Here is my search:

| spath 
| rename object.* as *
| spath path=events{} output=events
| mvexpand events 
| stats by timestamp, events, application, event_type, org_id, account_id, context.display_name
| eval _raw=events
| kv
| table created_at_fmt, account_id, "application", "event_type", "context.display_name", title, url, org_id

ITWhisperer · ‎10-27-2022

| spath 
| rename object.* as *
| spath path=events{} output=events
| mvexpand events 
| fillnull value=0 org_id, account_id
| stats by timestamp, events, application, event_type, org_id, account_id, context.display_name
| eval _raw=events
| kv
| table created_at_fmt, account_id, "application", "event_type", "context.display_name", title, url, org_id

Help with stats building a wrong result on my table

fields

stats

table

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?