Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why some of the field values are missing after stats and chart command?

auaave
Communicator
‎04-17-2018 08:51 PM

Hi Guys,

When I run the below query, it only returns the eventHour up to 14 (2pm) when there are events up to eventHour 18 (6pm).
I tried to add |search eventHour=15,16,17,18 after the |eval eventHour and it returned the stats on those eventHours.

What should I do to display the stats on all eventHours? Thank you!

---search---

| eval eventHour=strftime(_time,"%H") 
| table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL 
| sort STORAGECYCLEGROUPID EVENTTS ASC 
| autoregress STORAGECYCLEGROUPID as SC 
| eval SC2=(STORAGECYCLEGROUPID-SC) 
| eval cyclecheck=if(SC2=="0",0,1) 
| autoregress BAY as BAY2 
| eval baycheck=abs(BAY-BAY2) 
| autoregress LEVEL as LEVEL2 
| eval levelcheck=abs(LEVEL-LEVEL2) 
| eval stops=if(cyclecheck=1 OR baycheck>1 OR levelcheck>0,1,0) 
| stats max(eventHour) as eventHour sum(stops) as numberofstop by STORAGECYCLEGROUPID 
| chart count over eventHour by numberofstop 
| rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops"
0 Karma
Reply

p_gurav
Champion
‎04-17-2018 09:02 PM

Can you try :

 | eval eventHour=strftime(_time,"%H") 
 | table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL 
 | sort STORAGECYCLEGROUPID EVENTTS ASC 
 | autoregress STORAGECYCLEGROUPID as SC 
 | eval SC2=(STORAGECYCLEGROUPID-SC) 
 | eval cyclecheck=if(SC2=="0",0,1) 
 | autoregress BAY as BAY2 
 | eval baycheck=abs(BAY-BAY2) 
 | autoregress LEVEL as LEVEL2 
 | eval levelcheck=abs(LEVEL-LEVEL2) 
 | eval stops=if(cyclecheck=1 OR baycheck>1 OR levelcheck>0,1,0) 
 | stats  sum(stops) as numberofstop by STORAGECYCLEGROUPID , eventHour
 | chart count over eventHour by numberofstop 
 | rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops"
0 Karma
Reply

auaave
Communicator
‎04-17-2018 09:11 PM

@p_gurav, thanks for your reply! 🙂

I tried it but it's still the same. Btw, I am using |stats max(eventHour) because 1 STORAGECYCLEGROUPID can have maximum of 4 events and I want it to look at the max eventHour if incase all events did not occur on the same eventHour.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...