debugging when columns are not filled out

tb5821 · ‎11-09-2018

How does one debug searches when you expect a column to be filled out yet its not?

sourcetype=mongo_stats 
| streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace
| eval diffoflastchange=now()-time_of_last_change
| eval HH:MM:SS_since_last_change=tostring(diffoflastchange,"duration")
| rename count as current_count 
| fieldformat current_count=tostring(current_count,"commas") 
| table namespace current_count  HH:MM:SS_since_last_change lastChange | addcoltotals current_count | dedup namespace  | sort -current_count

for some reason the only columns I get are namespace and current count - the others are all blank but the logic to calculate the others looks right!

kmaron · ‎11-09-2018

In my experience it's best to strip down to the first piece and make sure it works then add back a piece at a time. so start with your streamstats and make sure its giving you what you expect.

 sourcetype=mongo_stats 
 | streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace

is count a field that already exists in your sourcetype? if not you'll need a stats to do your counting before the streamstats.

tb5821 · ‎11-09-2018

yes it exists - problem seems to be that it can't tie the eval fields to the right namespace field?

debugging when columns are not filled out

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann