Solved: The stats command isn't returning any results?

mperren · ‎02-11-2014

I have the following splunk query:

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count(vcbn) by error

but for whatever reason the stats count(vcbn) by error isn't generating any results.

Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.

The search itself returns 170 events.

richgalloway · ‎02-11-2014

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

the_wolverine · ‎02-11-2014

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count by vcbn

somesoni2 · ‎02-11-2014

please provide some sample log entries and the portion which have to be extracted as vcbn.

richgalloway · ‎02-11-2014

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎02-11-2014

Try 'stats count(vcbn)'. Since your search is only returning a single value, there is no grouping and so no use for a by clause.

---
If this reply helps you, Karma would be appreciated.

linu1988 · ‎02-11-2014

what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn

rex "^.*(?Value cannot be null.)$" | stats count(vcbn) by vcbn

mperren · ‎02-11-2014

@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.

richgalloway · ‎02-11-2014

I thought that might be the case. The field argument to the rex command tells rex what field to parse. Results are put into fields created by the '?<vcbn>' construct.

---
If this reply helps you, Karma would be appreciated.

mperren · ‎02-11-2014

I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.

The stats command isn't returning any results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

The stats command isn't returning any results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability