Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why some of the field values are missing after stats and chart command?

auaave
Communicator
‎04-17-2018 08:51 PM

Hi Guys,

When I run the below query, it only returns the eventHour up to 14 (2pm) when there are events up to eventHour 18 (6pm).
I tried to add |search eventHour=15,16,17,18 after the |eval eventHour and it returned the stats on those eventHours.

What should I do to display the stats on all eventHours? Thank you!

---search---

| eval eventHour=strftime(_time,"%H") 
| table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL 
| sort STORAGECYCLEGROUPID EVENTTS ASC 
| autoregress STORAGECYCLEGROUPID as SC 
| eval SC2=(STORAGECYCLEGROUPID-SC) 
| eval cyclecheck=if(SC2=="0",0,1) 
| autoregress BAY as BAY2 
| eval baycheck=abs(BAY-BAY2) 
| autoregress LEVEL as LEVEL2 
| eval levelcheck=abs(LEVEL-LEVEL2) 
| eval stops=if(cyclecheck=1 OR baycheck>1 OR levelcheck>0,1,0) 
| stats max(eventHour) as eventHour sum(stops) as numberofstop by STORAGECYCLEGROUPID 
| chart count over eventHour by numberofstop 
| rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops"
0 Karma
Reply

p_gurav
Champion
‎04-17-2018 09:02 PM

Can you try :

 | eval eventHour=strftime(_time,"%H") 
 | table eventHour STORAGECYCLEGROUPID DESTINATIONRACKLOCATION AISLE BAY LEVEL 
 | sort STORAGECYCLEGROUPID EVENTTS ASC 
 | autoregress STORAGECYCLEGROUPID as SC 
 | eval SC2=(STORAGECYCLEGROUPID-SC) 
 | eval cyclecheck=if(SC2=="0",0,1) 
 | autoregress BAY as BAY2 
 | eval baycheck=abs(BAY-BAY2) 
 | autoregress LEVEL as LEVEL2 
 | eval levelcheck=abs(LEVEL-LEVEL2) 
 | eval stops=if(cyclecheck=1 OR baycheck>1 OR levelcheck>0,1,0) 
 | stats  sum(stops) as numberofstop by STORAGECYCLEGROUPID , eventHour
 | chart count over eventHour by numberofstop 
 | rename 1 as "1 Stop", 2 as "2 Stops", 3 as "3 Stops", 4 as "4 Stops"
0 Karma
Reply

auaave
Communicator
‎04-17-2018 09:11 PM

@p_gurav, thanks for your reply! 🙂

I tried it but it's still the same. Btw, I am using |stats max(eventHour) because 1 STORAGECYCLEGROUPID can have maximum of 4 events and I want it to look at the max eventHour if incase all events did not occur on the same eventHour.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...