Splunk Search
Highlighted

How to edit my streamstats search so that values from a field are displayed?

New Member

Hi Guys,

I am facing a strange problem with streamstats command. Below is my search snippet. There are "blank" values for column e. I can see those "blank" values in e1. But after streamstats function, i do not see those "blank" values in field e2 but i can see all other values except "blank'. Can anyone help me to solve this problem? why can't I see "blank" values in e2?

index=*|.....| table a b c d e|fillnull value=blank d e  | where e>c OR e="blank"| stats list(e) as e1 by c   | streamstats  list(e1) as e2 
| tail 2 

Thanks in advance.

0 Karma
Highlighted

Re: How to edit my streamstats search so that values from a field are displayed?

SplunkTrust
SplunkTrust

Your code should be working fine, if you have data that matches. Here's a run-anywhere sample that demonstrates it, and below is a line-by-line analysis...

| makeresults count=10 | streamstats count as recno
| eval c = case(recno>2 AND recno<6,2, recno>7 AND recno<11,5)
| eval e = case(recno==2 OR recno==4 OR recno==7 OR recno==9,1, recno==5, 3, recno==10,8)

| table a b c d e
| fillnull value=blank d e  
| where e>c OR e="blank"
| stats values(d)  list(e) as e1 by c   
| streamstats  list(e1) as e2

Okay, this is a basic programming problem. Let's start by eliminating everything that can't be it.

Variables a, b and d have no effect on the result, so we can eliminate them from the code. Only the values in c and e matter.

 c has two possible values, null or a number.      
 e has three possible values, null, a number lower than c, or a number higher than c.  

Let's make a table...

CASE  c       e
 1    NULL    NULL
 2    NULL    1
 3    2       NULL
 4    2       1
 5    2       3   

Now, after this code, what do we have?

 |table c e|fillnull value=blank e

CASE  c       e
 1    NULL    blank
 2    NULL    1
 3    2       blank
 4    2       1
 5    2       3   

And after this code?

 | where e>c OR e="blank"

CASE  c       e
 1    NULL    blank
 3    2       blank
 5    2       3   

After this code?

 | stats list(e) as e1 by c

      c       e1
      2       blank
              3   

Note that the above gives us a single record, but you will have one for each value of c. Let's assume you had a second set with c=5 whose values included blank and 8.

| streamstats  list(e1) as e2 

      c       e1       e2
      2       blank    blank   
              3        3

      5       blank    blank   
              8        3
                       blank
                       8

And this code does not display the issues you were asking about. From that, we can assume that the problem is something having to do with the data, or that your code example does not do exactly what your live code does.

0 Karma