Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The stats command isn't returning any results?

mperren
Engager
‎02-11-2014 09:50 AM

I have the following splunk query:

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count(vcbn) by error

but for whatever reason the stats count(vcbn) by error isn't generating any results.

Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.

The search itself returns 170 events.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-11-2014 11:37 AM 
search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count by vcbn
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-11-2014 10:39 AM

please provide some sample log entries and the portion which have to be extracted as vcbn.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:47 AM

Try 'stats count(vcbn)'. Since your search is only returning a single value, there is no grouping and so no use for a by clause.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-11-2014 10:46 AM

what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn

rex "^.*(?Value cannot be null.)$" | stats count(vcbn) by vcbn

0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:37 AM

@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:31 AM

I thought that might be the case. The field argument to the rex command tells rex what field to parse. Results are put into fields created by the '?<vcbn>' construct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:16 AM

I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...