Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two queries into one without using eventtypes

jaj
Path Finder
‎02-17-2014 03:03 PM

I have the two separate queries that I could like to combine into on query without using event types. How can I do this as one query?

query 1:
source=....."labelData= " | stats count

query 2:
source=..... lableData!="" | stats count

ACTUAL LOGS:

// NO MATCH  [2014-02-18 10:21:53,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO  - MyClass                      - Parsed info: labelData= labelDataValue= matchedLocale= textLength=2636 

// MATCH [2014-02-18 10:24:52,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO  - MyClass                      - Parsed info: labelData=EN_US labelDataValue=1 matchedLocale= textLength=2636
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2014 06:58 AM

Try this (assuming labelData is an extracted field for you and both query uses same source)

source=yoursource  | stats count(eval(isnull(labelData))) as CountBlank, count(eval(isnotnull(labelData))) as CountValues

OR (in case upper one doesn't work)

source=yoursource  | stats count(eval(labelData="")) as CountBlank, count(eval(labelData!="") as CountValues

Update: Another Option

source=yoursource   | stats count(eval(len(labelData)=0)) as CountBlank, count(eval(len(labelData)!=0)) as CountValues

2nd Update:

This should work (work around)

source=yoursource "labelData= " | stats count as CountBlank | appendcols [search source=yoursource lableData!="" | stats count as CountValues]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2014 06:58 AM

Try this (assuming labelData is an extracted field for you and both query uses same source)

source=yoursource  | stats count(eval(isnull(labelData))) as CountBlank, count(eval(isnotnull(labelData))) as CountValues

OR (in case upper one doesn't work)

source=yoursource  | stats count(eval(labelData="")) as CountBlank, count(eval(labelData!="") as CountValues

Update: Another Option

source=yoursource   | stats count(eval(len(labelData)=0)) as CountBlank, count(eval(len(labelData)!=0)) as CountValues

2nd Update:

This should work (work around)

source=yoursource "labelData= " | stats count as CountBlank | appendcols [search source=yoursource lableData!="" | stats count as CountValues]
Reply
Solved! Jump to solution

jaj
Path Finder
‎02-18-2014 09:35 AM

one last ask, how can I get them as separate rows so that I can put them in a pie chart for display? i tried append but no go

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎02-18-2014 09:28 AM

That last workaround worked. Not sure why the others aren't working. It's bizarre. Thanks for not giving up on me. 😃 Thanks again!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2014 09:08 AM

I can understand your frustration, I have got Splunk- slapped many times. Try the updated options which definitely should work (provided your individual queries were working).

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎02-18-2014 08:59 AM

updated logs...i can't figure out this one for the life of me. i tried your update . the second part works fine. the blank ones doesn't. what is the deal with splunk and having issues matching "log msg labelData= " as opposed to "log msg labelData=EN_US"? i can' figure out why splunk messes this up? i have triple checked everything on my side.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2014 08:31 AM

It seems a blank "" is getting assigned instead on NULL which I was thinking. Try the option 3 I provided, should work based on observations your provided.

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎02-18-2014 08:24 AM

the first query isn't working either. the section count(eval(isnull(matchedParsePatterns)))

brings back all instances (matches and n0 matches) i.e. labelData= as well as labelData=somevalue

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2014 08:19 AM

Since all records will either have labelData="" or labelDate!="", so one work around will be:
source=yoursource | stats count as Total count(eval(isnotnull(labelData))) as CountValues | eval CountBlank=Total-CountValues | fields - Total

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2014 08:16 AM

Did you try both the options that I provided? especially the first one?

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎02-18-2014 07:43 AM

cool. thanks for the reply. i was able to get second part of your query to work. however, the first part doesn't work. please see my updates on how things are getting logged. for some reason I can't match misses like labelData="". instead I have to match "labelData= " but that was only working for my original query. if I put that into the first part of your query it wont' work for some reason

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top