Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats sum function causing fields to drop off

rmcdougal
Path Finder
‎05-17-2013 12:37 PM

I am writing a search against a summary index and I am running into an interesting problem. When I perform a sum on one specific field all the other fields drop off. For example, this search returns proper results

index=network_summary source="Top Perimeter Accepts by Source IP" | table src_ip, dns_name, count

This search returns the count and src_ip but not the dns_name

index=network_summary source="Top Perimeter Accepts by Source IP" | stats sum(count) by src_ip | table src_ip, dns_name, sum(count)

Any ideas what I may be doing wrong?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-17-2013 02:32 PM

Stats replaces the raw events with what you specified, the sum of the field count grouped by src_ip. That does not contain dns_name, hence stats correctly drops that field.

That's not specific to summary indexes, but rather what stats does. Consider this:

index=_internal | stats count by sourcetype

Here stats will drop everything except the sourcetype field and count grouped by that. You'll lose _raw, _time, source, host, and so on.

If you want to maintain dns_name information you'll have to expand your stats command's parameters. Assuming dns_name is unique for each src_ip, you could do this:

... | stats sum(count) values(dns_name) as dns_name by src_ip

This will list all values of dns_name grouped by src_ip alongside the sum of counts.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-17-2013 02:32 PM

Stats replaces the raw events with what you specified, the sum of the field count grouped by src_ip. That does not contain dns_name, hence stats correctly drops that field.

That's not specific to summary indexes, but rather what stats does. Consider this:

index=_internal | stats count by sourcetype

Here stats will drop everything except the sourcetype field and count grouped by that. You'll lose _raw, _time, source, host, and so on.

If you want to maintain dns_name information you'll have to expand your stats command's parameters. Assuming dns_name is unique for each src_ip, you could do this:

... | stats sum(count) values(dns_name) as dns_name by src_ip

This will list all values of dns_name grouped by src_ip alongside the sum of counts.

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...