Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help on a stats command with a filter token

jip31
Motivator
‎03-30-2021 01:17 AM

hello

I use the search below which works fine

 

 

`fiability` 
| fields host Logfile SourceName ProductName SITE DEPARTMENT RESPONSIBLE_USER
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)  
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, last(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
| rename ProductName as Product 
| sort -"Number of crashes"

 

 

 The problem I have is in my xml file because I use token filters on DEPARTMENT and RESPONSIBLE_USER fields

Since I just use a stats by ProductName, the RESPONSIBLE_USER related to the ProductName is just the last RESPONSIBLE_USER of the productName and not all the RESPONSIBLE_USER for a specific ProductName

So when I use the token for the RESPONSIBLE_USER in my dashboard, it doesn't reflect the exact reality

And if I do a stats by ProductName RESPONSIBLE_USER it's not good because I have many count for a same ProductName

What I need is to have a single count for a same ProductName and in the same time having all the ProductName count for a same RESPONSIBLE_USER (it means something else than the last RESPONSIBLE_USER for a ProductName...)

Could you help me please?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2021 09:03 AM 
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2021 05:17 AM

Use the values function of stats to get all values of RESPONSIBLE_USER

...
| stats last(SITE) as SITE, last(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName 
...

.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-31-2021 05:19 AM

I have already done this and it works if I put the token before the stats command

| search ProductName="browser_*" AND RESPONSIBLE_USER=*ABCDE* 
| stats last(SITE) as SITE, values(DEPARTMENT) as DEPARTMENT, values(RESPONSIBLE_USER) as RESPONSIBLE_USER, count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName

but.....

For this search, I use a scheduled search

So it means that I use my filter token after the loadjob command

| loadjob savedsearch="admin:XXXX:YYYYY" 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$

 And in this case I am unable to filter on the good RESPONSIBLE_USER....

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2021 06:48 AM

The values function may produce a multi-value field that requires using the mvfind function to search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-09-2021 03:02 AM

Have you an example please?

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2021 09:03 AM 
| loadjob savedsearch="admin:XXXX:YYYYY" 
| where isnotnull(mvfind(RESPONSIBLE_USER, $tok_filterresponsible|s$)))

mvfind looks in the multi-value field for the given string.  If successful, it returns an index into the field; otherwise, it returns NULL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...