Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Eventstats and Subsearch adding non-existent values to the table?

brajaram
Communicator
‎04-05-2018 11:47 AM

My data is structured in a way that there exists multiple types of events, each with a specific id field that is unique to the user triggering the events. Each time the user builds a page, it is recorded as an event.

I initially had a query like 

index=...
| eventstats sum(buildTime) as SumID by id| table SumID _time id| dedup id
| timechart mean(SumID) AS "Mean Time"

This search correctly provided the mean over time of the sum total of builds of any given id.

However, now I am trying to filter out all ids that hit a specific page. My plan was to use a subsearch such as:

index=... NOT [search index=... url="DONT WANT" | table id] 
| eventstats sum(buildTime) as SumID by id
| table SumID _time id

In theory, this should make the search filter out all events that contain an id in that subsearch produced table. And in fact, it does do that. If I take an ID that hits the page I don't want, and search for it within index=... NOT [search index=... url="DONT WANT" | table id] no results are found.

However, when I do | eventstats sum(buildTime) as SumID by id| table SumID _time id those ids show up in the subsequent table. Why does eventstats make those non-existent ids show up? In fact, if I even click the id from the table and click view events the events fail to return values. So the table is being populated with values that don't exist in the primary search.

0 Karma
Reply

DalJeanis
Legend
‎04-05-2018 09:06 PM

Try something like this 

index=...  
| append [ search index=... url="DONT WANT" | table id | eval flag="junk"] 
| eventstats max(flag) as flag by id
| where isnull(flag)
0 Karma
Reply

sravankaripe
Communicator
‎04-05-2018 03:39 PM

use fields command

index=... NOT [search index=... url="DONT WANT" | table id]
| eventstats sum(buildTime) as SumID by id
| table SumID _time id | fields SumID _time id

0 Karma
Reply

brajaram
Communicator
‎04-05-2018 03:56 PM

Still produces results that are not in the primary search. How is it possible that an event exists in the table, such that when I click on the event and click 'view events' to add it to the search, it returns no results?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...