Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why my search is return no result ?

mah
Builder
‎09-14-2020 08:55 AM

Hi, 

I have a search like this applied on many queries : 

index="abs" field1="aaa" field2="bbb" 
| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")

| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| eval _time=Horodate
| stats count(eval(Statut=="KO")) as KO by _time
| sort _time ASC
| appendpipe
[| stats sum(KO) as KO
| eval _time=now()]

Usually the search return a result like this : 

mah_1-1600098426870.png

I have the sum of KO / day. And then I use the single value for the visualization : 

mah_2-1600098619474.png

 

My issue is that on one query I have this error :

mah_3-1600098723353.png

And it doesn't span bay day anymore.

Can you help me please ?

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 12:50 AM

Hi @mah,

at first you don't need to rename Horodate as _time (| eval _time=Horodate)

then I don't like the double "=".

Then, if you want to use stats BY _time (or Horodate), you have to put a bin command before to group values, otherwise you have touse the timechart command that permits to define the span:

so:

index="abs" field1="aaa" field2="bbb" 
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| bin Horodate span=1d
| stats count(eval(Statut="KO")) as KO values(ASC) AS ASC by Horodate
| sort _time ASC

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 12:50 AM

Hi @mah,

at first you don't need to rename Horodate as _time (| eval _time=Horodate)

then I don't like the double "=".

Then, if you want to use stats BY _time (or Horodate), you have to put a bin command before to group values, otherwise you have touse the timechart command that permits to define the span:

so:

index="abs" field1="aaa" field2="bbb" 
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| bin Horodate span=1d
| stats count(eval(Statut="KO")) as KO values(ASC) AS ASC by Horodate
| sort _time ASC

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 07:43 AM

Hi @mah.,

good!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated  😉

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 01:44 AM

The bin doesn't work with the Horodate :

mah_0-1600159431516.png

 

But works with _time :

mah_1-1600159480157.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 05:37 AM

Hi @mah,

do it solve your need?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 06:08 AM

It works. 

Thanks for helping!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 09:04 AM

Hi @mah,

The approach to debug a search is to delete one row at a time from the end of the search to understand  which row has the problem.

Anyway, probably the problem is that you want to sort for ASC (| sort _time ASC), but ASC isn't present in the previous stats command, so you haven't anymore after "| stats count(eval(Statut=="KO")) as KO by _time".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-14-2020 09:27 AM

I put the "| stats count(eval(Statut=="KO")) as KO by _time" at the end in order to answer to this other issue : 

https://community.splunk.com/t5/Dashboards-Visualizations/Drilldown-not-working-at-all/m-p/519370#M3...

I've already tried to see command by command but I don't find where it goes wrong. 

I find out that at this command :

index=abc 

| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| eval _time=Horodate

The _time returned like this : 

NaN/NaN/aN
NaN:NaN:NaN.000 AM

 

and then when I added this command and put a single value, the problem is the same : 

"These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 09:34 AM

Hi @mah,

running 

index=abc 
| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| table _time epochnow epochHorodate

which results do you have?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 12:37 AM

Hi @gcusello ,

I run the above command : 

mah_0-1600155104060.png

and I run the eval command I have in my begining search : 

mah_1-1600155219295.png

But when I added the following command : | stats count(eval(Statut=="KO")) as KO by _time

The problem still the same :  it doesn't make a span by day anymore and the visualization goes wrong :

mah_2-1600155440539.png

 

mah_3-1600155460435.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...