Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my search to create a range of values not returning any results?

Rotema
Path Finder
‎03-02-2016 07:38 AM

Hello,

I'm trying to run this search in order to range the values:

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | convert rmunit(AccountNumber)| eval type=case(AccountNumber >=10 AND AccountNumber < 30,"Between 10 and 30 ",AccountNumber >= 31 AND AccountNumber <=50,"Between 31 and 50",AccountNumber >= 51 AND AccountNumber <=70,"Between 51 and 70", AccountNumber >= 71 AND AccountNumber <=100,"Between 71 and 100") | chart count by type

But I'm getting no results 😞
Can you help me understand what's wrong here?

Thanks,
Rotem

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-02-2016 11:42 PM

Since you wan to get range of count, not the account numbers, try like this

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | eval type=case(count>=10 AND count< 30,"Between 10 and 30 ",count>= 31 AND count<=50,"Between 31 and 50",count>= 51 AND count<=70,"Between 51 and 70", count>= 71 AND count<=100,"Between 71 and 100") | chart count by type

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-02-2016 11:42 PM

Since you wan to get range of count, not the account numbers, try like this

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | eval type=case(count>=10 AND count< 30,"Between 10 and 30 ",count>= 31 AND count<=50,"Between 31 and 50",count>= 51 AND count<=70,"Between 51 and 70", count>= 71 AND count<=100,"Between 71 and 100") | chart count by type
0 Karma
Reply
Solved! Jump to solution

Rotema
Path Finder
‎03-03-2016 12:46 AM

Hi,
that worked!
I just had to play with the rex a bit but that did the trick
Thank u

0 Karma
Reply
Solved! Jump to solution

Rotema
Path Finder
‎03-02-2016 11:27 PM

Hi,
Thanks for the replies.
here is an example of the data:
Query:
index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10

Results:

AccountNumber count
1 2266456 52
2 5214944 44
3 2354071 35
4 6386060 35
5 6573558 35
6 6296155 34
7 6235968 33
8 6547036 30
9 1856928 29
10 2629859 26

What I'm trying to do is range the counts (1-30, 31-50, 51-70)

Thanks

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2016 05:38 PM

Your rex command is wrong: it doesn't specify a field name. So there is no "AccountNumber" field. Try this

index=prod GetClientStateNotFound 
| rex "AccountNumber=(?P<AccountNumber>\d+)" 
| chart count by AccountNumber
| where count>=10 
| convert rmunit(AccountNumber)
| eval type=case(AccountNumber >=10 AND AccountNumber < 30,"Between 10 and 30 ",
                              AccountNumber >= 31 AND AccountNumber <=50,"Between 31 and 50",
                              AccountNumber >= 51 AND AccountNumber <=70,"Between 51 and 70", 
                             AccountNumber >= 71 AND AccountNumber <=100,"Between 71 and 100") 
| stats sum(count) as ClientStateNotFound count as NumAccountNumbers by type

Note that I have also changed the final command; you probably should pick whether you want to count the number of times that "GetClientStateNotFound" occurred - or whether you want to count the number of AccountNumbers of each type.
Note that the rex may still be wrong. Show us a sample of the data if you still need help.

0 Karma
Reply
Solved! Jump to solution

Rotema
Path Finder
‎03-02-2016 09:26 AM

Hi, no results.
I'm pretty sure the problem is that I'm getting the account values but what I want do is count the account numbers amount and then range them.

Tnx

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-02-2016 04:55 PM

Can you provide some sample values for Account number that you have? Probably issue with converting the Account number to numeric value to range.

0 Karma
Reply
Solved! Jump to solution

Rotema
Path Finder
‎03-02-2016 07:54 AM

Hi,
Just to clear, I'm trying to range the value of "AccountNumber"

Thanks,
Rotem

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-02-2016 09:03 AM

Do you get results if you run your query without last chart command??

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...