Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why are the values showing wrong stats?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are the values showing wrong stats?
earliest=-32d@d | search Mode="GoNoGo" | stats dc(source) by Number | eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A)
Why returns values(A) "Pass" for all entries and
earliest=-32d@d | search Mode="GoNoGo" | eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A)
returns "Pass" and "Fail"
Like to use:
earliest=-32d@d | search Mode="GoNoGo" | stats dc(source) by Number | eval A=if(source= "faulty.csv", "Fail", "Pass") | stats values(A) with the values "Pass" and "Fail" for A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@LH_SPLUNK could you please describe what is the final output you are trying to get? Do you want to get the count of Fail and Pass? If this is so you should try the following:
<YourBaseSearchWithIndexAndSourceType> source=* earliest=-32d@d Mode="GoNoGo"
| stats count(eval(source="faulty.csv")) as Fail count(eval(source!="faulty.csv")) as Pass
In your first search, once you run the stats command you are left only with the fields returned by stats i.e. dc(source) and Number. Hence the subsequent eval on source will always be null resulting in A="Pass" for all source which is the default else condition.
PS: | search Mode="GoNoGo" should actually be a part of your base search for query optimization (hope you have index and/or sourcetype defined in your base search.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to expand and clarify for @LH_SPLUNK, since this little nuance bit me more times than I'd like to admit when I first started using Splunk:
| stats dc(source) BY Number
will leave you with two fields. Those fields will be named dc(source) and Number
| stats dc(source) AS source BY Number
will also leave you with two fields. Those fields will be named source and Number.
So although the restructured search that @niketnilay has proposed above is a more efficient way to get the data you're seeking in this case, I thought it would be good to just be really explicit about why the search you crafted was failing. I've found it to be a best practice for me to always add an AS clause when I'm using stats - so all of my searches look something like this: | stats dc(something) AS something, values(another_thing) AS another_thing... because of how many times I wasted energy trying to figure out where my important field went!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
