Splunk Search

can't get a field to appear when using stats

tb5821
Communicator

A have a ...| selfjoin subsearch which joins on two fields id, vid. I then pass the fields I want kept to my main search via | fields + id + vid + url. My main search looks for all errors which will only contain the url field not the id and vid fields but it seems since I'm doing a stats my id and vid fields are not populated in the resulting table... help.

Tags (1)
0 Karma
1 Solution

Ayn
Legend

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

View solution in original post

Ayn
Legend

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

Ayn
Legend

Please clarify what you mean by that they "show up" and "go away"? I'm pretty confident that fields will not just go away at the end of a search, ever.

0 Karma

tb5821
Communicator

Makes sense but still doesn't explain my issue.

0 Karma

kristian_kolb
Ultra Champion

well. no.
Your indexed events contain information that can be parsed into fields (like vid, url etc). That never changes.

On top of that, you can use commands like eval or eventstats which will create new fields to your events. These only exist in the search you are running, and do not alter the indexed data.

To further confuse this, certain types of command - like stats, chart, transaction etc - will change the concept of "event" for the search you are running, i.e. after a chart command, each row is considered an event, which can be written out or acted upon further.

Makes sense?

/k

0 Karma

tb5821
Communicator

Hmm, so my other fields when using either eventstats or stats show up for a few seconds assuming until the search is done and then they go away... thoughts?

0 Karma

kristian_kolb
Ultra Champion

more information needed. submit sample events, with further explanation if necessary. also, please describe your desired output.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...