Splunk Search

Search shows events only and not statistics in Splunk 6.2

ruhibansal
Explorer

 

BElow query shows expected statistics table in Splunk 8.2, but shows only events in Splunk 6.2.

 

YOUR_SEARCH
| fields A_real.S*.A*
| rename A_real.* as *
|eval dummy=null()
| foreach S* [ 
eval dummy= if(isnull(dummy),"<<FIELD>>".":".'<<FIELD>>',dummy."|"."<<FIELD>>".":".'<<FIELD>>')
] | eval dummy=split(dummy,"|")
| stats count by dummy | fields - count
| eval f1= mvindex(split(dummy,"."),0),I1= mvindex(split(dummy,"."),1), Id=mvindex(split(I1,":"),0),{f1}=mvindex(split(I1,":"),1) | fields - dummy I1 f1
| stats values(*) as * by Id
| lookup YOUR_LOOKUP Id
| where isnotnull(Timestamp) | fields - Timestamp

Please check.

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ruhibansal  foreach command is introduced with Splunk 6.3 version.. That's Y it's not working with 6.2

https://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Foreach

 

KV

0 Karma

ruhibansal
Explorer

Hi @kamlesh_vaghela 

for 6.3 as well, I am getting events and not statistics as shown in attached .png.

Query has no error, only stats are 0.

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ruhibansal 

Can you please execute search step by step and check the fields and events ?

 

0 Karma

ruhibansal
Explorer

Hi @kamlesh_vaghela 

Thanks for your efforts. 

Even splunk support could not find solution and I had to upgrade version to resolve issue.

 

Regards

Ruhi

 

 

0 Karma

ruhibansal
Explorer

@kamlesh_vaghela

The query mentioned gives the result of inner join on two files.

Can you help to apply outer join in the query?

 

Regards

Ruhi

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...