Splunk Search

can't get a field to appear when using stats

tb5821
Communicator

A have a ...| selfjoin subsearch which joins on two fields id, vid. I then pass the fields I want kept to my main search via | fields + id + vid + url. My main search looks for all errors which will only contain the url field not the id and vid fields but it seems since I'm doing a stats my id and vid fields are not populated in the resulting table... help.

Tags (1)
0 Karma
1 Solution

Ayn
Legend

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

View solution in original post

Ayn
Legend

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

Ayn
Legend

Please clarify what you mean by that they "show up" and "go away"? I'm pretty confident that fields will not just go away at the end of a search, ever.

0 Karma

tb5821
Communicator

Makes sense but still doesn't explain my issue.

0 Karma

kristian_kolb
Ultra Champion

well. no.
Your indexed events contain information that can be parsed into fields (like vid, url etc). That never changes.

On top of that, you can use commands like eval or eventstats which will create new fields to your events. These only exist in the search you are running, and do not alter the indexed data.

To further confuse this, certain types of command - like stats, chart, transaction etc - will change the concept of "event" for the search you are running, i.e. after a chart command, each row is considered an event, which can be written out or acted upon further.

Makes sense?

/k

0 Karma

tb5821
Communicator

Hmm, so my other fields when using either eventstats or stats show up for a few seconds assuming until the search is done and then they go away... thoughts?

0 Karma

kristian_kolb
Ultra Champion

more information needed. submit sample events, with further explanation if necessary. also, please describe your desired output.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...