All Apps and Add-ons

Why won't Splunk stats search not display data?

SS1
Path Finder

Hi,

I have below search, i have clubbed 3 searches into 1. Each individual search is working fine but when i clubbed its not able to pull data from previous year and the table shows empty values fore few months

 

index=dev  AND "alpha" | dedup _time|  eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as alpha | appendcols [search index=DEV AND "[beta]" | dedup _time|eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as beta] | appendcols [search index=dev AND "gamma"  | dedup _time| eval Month=strftime(_time,"%m %b %Y")|stats count by Month| rename count as gamma]

 

Labels (3)
0 Karma

SS1
Path Finder

Hi @ITWhisperer 

 

Thanks for the response, my events will have "alpha" or "gamma" or gamma [beta], how would the search be like?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Case function operates left to right, so check gamma [beta] before gamma

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

appendcols is rarely the right answer

If your events only have either "alpha" or "[beta]" or "gamma" and never more than one of them, you could try something like this

index=dev
| eval type=case(match(_raw,"alpha"),"alpha",match(_raw,"\[beta\]"),"beta",match(_raw,"gamma"),"gamma")
| dedup _time type
| eval Month=strftime(_time,"%m %b %Y")
| chart count by Month type
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...