Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why my search is return no result ?

mah
Builder
‎09-14-2020 08:55 AM

Hi, 

I have a search like this applied on many queries : 

index="abs" field1="aaa" field2="bbb" 
| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")

| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| eval _time=Horodate
| stats count(eval(Statut=="KO")) as KO by _time
| sort _time ASC
| appendpipe
[| stats sum(KO) as KO
| eval _time=now()]

Usually the search return a result like this : 

mah_1-1600098426870.png

I have the sum of KO / day. And then I use the single value for the visualization : 

mah_2-1600098619474.png

 

My issue is that on one query I have this error :

mah_3-1600098723353.png

And it doesn't span bay day anymore.

Can you help me please ?

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 12:50 AM

Hi @mah,

at first you don't need to rename Horodate as _time (| eval _time=Horodate)

then I don't like the double "=".

Then, if you want to use stats BY _time (or Horodate), you have to put a bin command before to group values, otherwise you have touse the timechart command that permits to define the span:

so:

index="abs" field1="aaa" field2="bbb" 
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| bin Horodate span=1d
| stats count(eval(Statut="KO")) as KO values(ASC) AS ASC by Horodate
| sort _time ASC

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 12:50 AM

Hi @mah,

at first you don't need to rename Horodate as _time (| eval _time=Horodate)

then I don't like the double "=".

Then, if you want to use stats BY _time (or Horodate), you have to put a bin command before to group values, otherwise you have touse the timechart command that permits to define the span:

so:

index="abs" field1="aaa" field2="bbb" 
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| bin Horodate span=1d
| stats count(eval(Statut="KO")) as KO values(ASC) AS ASC by Horodate
| sort _time ASC

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 07:43 AM

Hi @mah.,

good!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated  😉

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 01:44 AM

The bin doesn't work with the Horodate :

mah_0-1600159431516.png

 

But works with _time :

mah_1-1600159480157.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 05:37 AM

Hi @mah,

do it solve your need?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 06:08 AM

It works. 

Thanks for helping!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 09:04 AM

Hi @mah,

The approach to debug a search is to delete one row at a time from the end of the search to understand  which row has the problem.

Anyway, probably the problem is that you want to sort for ASC (| sort _time ASC), but ASC isn't present in the previous stats command, so you haven't anymore after "| stats count(eval(Statut=="KO")) as KO by _time".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-14-2020 09:27 AM

I put the "| stats count(eval(Statut=="KO")) as KO by _time" at the end in order to answer to this other issue : 

https://community.splunk.com/t5/Dashboards-Visualizations/Drilldown-not-working-at-all/m-p/519370#M3...

I've already tried to see command by command but I don't find where it goes wrong. 

I find out that at this command :

index=abc 

| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| where epochnow>=epochHorodate
| eval _time=Horodate

The _time returned like this : 

NaN/NaN/aN
NaN:NaN:NaN.000 AM

 

and then when I added this command and put a single value, the problem is the same : 

"These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 09:34 AM

Hi @mah,

running 

index=abc 
| eval dummy="true"
| eval epochnow = now()
| eval epochHorodate=strptime(Horodate, "%Y-%m-%dT%H:%M:%S")| eval Horodate=strftime(epochHorodate, "%Y-%m-%dT%H:%M:%S")
| table _time epochnow epochHorodate

which results do you have?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-15-2020 12:37 AM

Hi @gcusello ,

I run the above command : 

mah_0-1600155104060.png

and I run the eval command I have in my begining search : 

mah_1-1600155219295.png

But when I added the following command : | stats count(eval(Statut=="KO")) as KO by _time

The problem still the same :  it doesn't make a span by day anymore and the visualization goes wrong :

mah_2-1600155440539.png

 

mah_3-1600155460435.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...