Solved: Unfamiliar Syntax in Query

inovexsean · ‎01-31-2019

I have a query, written by someone else, that I'm trying to understand: tstats count as count sum(sessionLength) as volume where (index=accm_*) name="John",selectors{}.category{}=* by selectors{}.categories{}, |.... I can not find a reference anywhere for the selectors{}.category{}. Could someone please point me in the right direction? Thanks.

mayurr98 · ‎01-31-2019

First of all are you getting output? query fails here itself at index-accm_* it should be index=accm_* can you paste entire query in 101010 sample code format.

View solution in original post

mayurr98 · ‎01-31-2019

First of all are you getting output? query fails here itself at index-accm_* it should be index=accm_* can you paste entire query in 101010 sample code format.

inovexsean · ‎01-31-2019

Sorry, that was a typo on my part. Due to sensitivity I cannot copy paste the entire query.

mayurr98 · ‎01-31-2019

okay now it looks better so if you look the raw data in verbose mode that is type this search query index=accm_* name=* you should see a field name selectors{}.categories{}.

You are basically doing event count and sum of session length by categories(values in the selectors{}.categories{} field )

inovexsean · ‎01-31-2019

Okay, so that's just some kind of internal field name that you only see when verbose mode is enabled. Thank you.

mayurr98 · ‎01-31-2019

yeah the query is written in tstats (which will not allow you to look at the raw data and is basically use for faster processing of searches when data model acceleration is ON)

Unfamiliar Syntax in Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation