- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: We need other way of solution instead of event...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need other way of solution instead of eventstats
index="*" | eval foo=coalesce(F1,F2) | eventstats values(P1) as Foo2 by foo| ....
output search
foo P1 F1 F2 Foo2
- result1 X2 result1 NULL X2
- result1 NULL NULL result1 X2 ( 1 and 2 are different log events.)
The above output is getting used by eventstats.... when event count increase, the some of the fields are not getting result.
Please provide me the solution instead of using event stats, is there any other way to match the two fields to get other field output result.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes write, we are getting result FOO2 if you use eventstats only running at limited period [every 5min or 15min].
But if you run that same query more than 30 min period, FOO2 is NULL . Because Eventstats taking more memory usage, its crossed the limit.
But I need 2nd event result when put "index="*" | eval foo=coalesce(F1,F2) | eventstats values(P1) as Foo2 by foo | where isnull(P1)...."
foo P1 F1 F2 Foo2
2 result1 NULL NULL result1 X2
Do you have any other query to use instead of using eventstats to get same result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthikeyan_k14 - you've cut off the part of the search that tells us what is wrong. What we see is exactly the right output for the input. You have two different types of records, one of which has F1 and P1 and no F2, the other has F2 and no F1 or P1. The missing fields correctly get NULLs.
Here's some things you can look at to debug. If none of them help, then follow the final instructions to post a clearer problem statement so that we can help you debug further.
To help debug this kind of thing, if your count is not going up as expected, then you could try this...
your search
| where isnull(foo2)
That will give you any records where no F1/P1 record was available in the time range selected. Review those and see if they are the problem.
eventstats has the purpose of calculating group values while leaving the individual transactions alone. If you just need one line of data for each foo, then use stats instead.
If you need the F1/P1 data copied onto the F2 record, and don't need the F1/P1event itself, then you should filter out the F1/P1 records immediately after the eventstats.
If all of the above didn't help, then we need clearer specifications. If you want different output, we need to know the kind of input records of each type that are getting the wrong output.
Here's what we generally need -
(1) The information about the two different kinds of events ( what fields are important in them)
(2) The desired output.
(3) The current code.
(4) The current output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is very likely we can sort this out for you, but I'm finding it difficult to follow what the problem actually is.
So we're coalescing two fields - P1 and P2 into a new field call foo. Fine.
Then it looks like according to what you asked for, it should be giving you exactly that in the
| eventstats values(P1) as Foo2 by foo|
So I'm not sure what the problem is.
Evenstats may not be what you want here, if you restructure and try something like this:
index="*" | eval foo=coalesce(F1,F2) | stats count, values(P1) as Foo2 by foo| ....
Does that get closer?
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
