Re: Help with stats building a wrong result on my ...

fpedrosa · ‎10-27-2022

Hello,

I have a lots of records, some one has account_id field filled.. others has org_id field filled, and some ones both filled.... I'm trying to bring the table both field (account_id and org_id) but, when I put the org_id into the stats by, bring only a few records, If I remove it, bring all the records, whats I'm doing wrong?

Thanks !

Here is my search:

| spath 
| rename object.* as *
| spath path=events{} output=events
| mvexpand events 
| stats by timestamp, events, application, event_type, org_id, account_id, context.display_name
| eval _raw=events
| kv
| table created_at_fmt, account_id, "application", "event_type", "context.display_name", title, url, org_id

ITWhisperer · ‎10-27-2022

| spath 
| rename object.* as *
| spath path=events{} output=events
| mvexpand events 
| fillnull value=0 org_id, account_id
| stats by timestamp, events, application, event_type, org_id, account_id, context.display_name
| eval _raw=events
| kv
| table created_at_fmt, account_id, "application", "event_type", "context.display_name", title, url, org_id

Help with stats building a wrong result on my table

fields

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation