Why won't Splunk stats search not display data?

SS1 · ‎01-25-2023

Hi,

I have below search, i have clubbed 3 searches into 1. Each individual search is working fine but when i clubbed its not able to pull data from previous year and the table shows empty values fore few months

index=dev  AND "alpha" | dedup _time|  eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as alpha | appendcols [search index=DEV AND "[beta]" | dedup _time|eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as beta] | appendcols [search index=dev AND "gamma"  | dedup _time| eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as gamma]

SS1 · ‎01-26-2023

Hi @ITWhisperer

Thanks for the response, my events will have "alpha" or "gamma" or gamma [beta], how would the search be like?

ITWhisperer · ‎01-26-2023

Case function operates left to right, so check gamma [beta] before gamma

ITWhisperer · ‎01-25-2023

appendcols is rarely the right answer

If your events only have either "alpha" or "[beta]" or "gamma" and never more than one of them, you could try something like this

index=dev
| eval type=case(match(_raw,"alpha"),"alpha",match(_raw,"\[beta\]"),"beta",match(_raw,"gamma"),"gamma")
| dedup _time type
| eval Month=strftime(_time,"%m %b %Y")
| chart count by Month type

Why won't Splunk stats search not display data?

dashboard

search

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Why won't Splunk stats search not display data?

dashboard

search

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases