Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can't get a field to appear when using stats

tb5821
Communicator
‎01-03-2013 01:05 PM

A have a ...| selfjoin subsearch which joins on two fields id, vid. I then pass the fields I want kept to my main search via | fields + id + vid + url. My main search looks for all errors which will only contain the url field not the id and vid fields but it seems since I'm doing a stats my id and vid fields are not populated in the resulting table... help.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎01-03-2013 01:27 PM

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎01-03-2013 01:27 PM

The only fields stats passes on to the rest of the search pipeline are the ones involved in the stats calculation. So for instance stats count by id,vid,url will only give you the fields count, id, vid and url.

If you want to calculate stats but still have access to fields, you could look into using eventstats instead. It calculates stats and writes them on a per-event basis, so other fields will not be removed.

Reply
Solved! Jump to solution

Ayn
Legend
‎01-04-2013 08:12 AM

Please clarify what you mean by that they "show up" and "go away"? I'm pretty confident that fields will not just go away at the end of a search, ever.

0 Karma
Reply
Solved! Jump to solution

tb5821
Communicator
‎01-04-2013 06:00 AM

Makes sense but still doesn't explain my issue.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎01-04-2013 01:50 AM

well. no.
Your indexed events contain information that can be parsed into fields (like vid, url etc). That never changes.

On top of that, you can use commands like eval or eventstats which will create new fields to your events. These only exist in the search you are running, and do not alter the indexed data.

To further confuse this, certain types of command - like stats, chart, transaction etc - will change the concept of "event" for the search you are running, i.e. after a chart command, each row is considered an event, which can be written out or acted upon further.

Makes sense?

/k

0 Karma
Reply
Solved! Jump to solution

tb5821
Communicator
‎01-03-2013 02:59 PM

Hmm, so my other fields when using either eventstats or stats show up for a few seconds assuming until the search is done and then they go away... thoughts?

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎01-03-2013 01:16 PM

more information needed. submit sample events, with further explanation if necessary. also, please describe your desired output.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...