Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use stats in multiple Condition and fie...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use stats in multiple Condition and fields ?
karthi2809
Builder
03-21-2024
04:50 AM
Hi Guys,
I am trying fetch details using stats.In this query I am trying get status from the below conditions and when i am populating in the table.The ProccesMsg has some values but in failure conditions i will add message in the result so i used coalesec to map both the result and need to populate in the table.But i cant able to populate the result.What mistake i did here.
index="mulesoft" applicationName="ext" environment=DEV
(*End of GL-import flow*) OR (message="GLImport Job Already Running, Please wait for the job to complete*") OR (message="process - No files found for import to ISG") |rename content.File.fstatus as Status|eval Status=case( like('Status' ,"%SUCCESS%"),"SUCCESS",like('Status',"%ERROR%"),"ERROR",like('message',"%process - No files found for import to ISG%"), "ERROR",like('message',"GLImport Job Already Running, Please wait for the job to complete"), "WARN")
| eval ProcessMsg= coalesce(ProcessMsg,message)
|stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg
values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" by correlationId
|table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
03-22-2024
12:58 AM
You need to clarify the problem in search result as well as explain/illustrate your raw data. "Can't populate result" can have a million different meanings. Do you mean to say that you get a completely blank table, i.e., no results at all? If this is the case, you probably do not have a field named correlationId in your raw data.
Or do you mean values(content.File.fprocess_message) as ProcessMsg gives all null output? You cannot expect volunteers to read your mind. Explain in no ambiguous terms.
You speak about ProessMsg but it is not obvious whether a field named "ProcessMsg" exists in raw data, despite a suggestion of that coalesce function. Again, you cannot just ask volunteers to speculate from your code (aka mind-reading) what raw data look like.
Importantly, as @ITWhisperer questioned, why go through all the trouble of coalescing if you are going to discard it, then use field name ProcessMsg to store output of a stats function, as indicated in values(content.File.fprocess_message) as ProcessMsg? Most importantly, what is content.File.fprocess_message? Do you have evidence that this field even has value?
Do you really mean
index="mulesoft" applicationName="ext" environment=DEV
(*End of GL-import flow*) OR (message="GLImport Job Already Running, Please wait for the job to complete*") OR (message="process - No files found for import to ISG")
|rename content.File.fstatus as Status
|eval Status=case( like('Status' ,"%SUCCESS%"),"SUCCESS",like('Status',"%ERROR%"),"ERROR",like('message',"%process - No files found for import to ISG%"), "ERROR",like('message',"GLImport Job Already Running, Please wait for the job to complete"), "WARN")
| eval ProcessMsg= coalesce(ProcessMsg,message)
|stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(ProcessMsg) as ProcessMsg
values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" by correlationId
|table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-21-2024
04:58 AM
It looks like you have an eval for ProcessMsg, immediately followed by a stats command which overwrites the same field - is this your issue?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
