Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The stats command isn't returning any results?

mperren
Engager
‎02-11-2014 09:50 AM

I have the following splunk query:

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count(vcbn) by error

but for whatever reason the stats count(vcbn) by error isn't generating any results.

Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.

The search itself returns 170 events.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-11-2014 11:37 AM 
search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count by vcbn
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-11-2014 10:39 AM

please provide some sample log entries and the portion which have to be extracted as vcbn.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:47 AM

Try 'stats count(vcbn)'. Since your search is only returning a single value, there is no grouping and so no use for a by clause.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-11-2014 10:46 AM

what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn

rex "^.*(?Value cannot be null.)$" | stats count(vcbn) by vcbn

0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:37 AM

@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:31 AM

I thought that might be the case. The field argument to the rex command tells rex what field to parse. Results are put into fields created by the '?<vcbn>' construct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:16 AM

I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...