Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field names showing in table as field everytime I run a search

marvinlee93
Explorer
‎12-02-2018 01:23 AM

alt text

Hi,

index="alarm" sourcetype="DATAcombined" |streamstats avg(alarmcount) as avg stdev(alarmcount) as stdev |eval threeSigmaLimit = (avg + (stdev * 3)) | where alarmcount > threeSigmaLimit | table _time alarmcount by index2

Above is my search code. And I'm just wondering why my table will show the 'FIELDNAMES' in my table as 'FIELDS' everytime I run my code (Real-time). Anybody has any idea why?

Regards,
Marvin Lee

Tags (1)
Preview file
1 KB
0 Karma
Reply

marvinlee93
Explorer
‎12-02-2018 05:47 PM

alt text

Hi Rich, I've tried the code new code but still getting the same error. However, I've found something interesting. Whenever I refresh the table, since I'm pumping in real-time data, the values of threeSigma limit,average and StandardDev changes. And some indexes disappears (mostly the lower indexes: 50, 108). I suspect that it is due to the streamstats command??? From what I know, the streamstats should only affect the 'latest' field right?

Preview file
1 KB
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2018 04:52 AM

Could you provide a screenshot of "show the 'FIELDNAMES' in my table as 'FIELDS'" ?

All I see in your posted screenshot is exactly what I expect, although you have by in there probably accidentally.

0 Karma
Reply

marvinlee93
Explorer
‎12-02-2018 09:17 AM

I remove the 'by'. But everytime I run the search, sending in real time data, it will print alarmcount and index2.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2018 05:20 PM

OH!

Ha, I see now. You have the field contents - the actual word 'alarmcount' and 'index2' in there! Sorry, that sort of ... I must have just looked right over it. 😞

Hmmm.....

Can you try 

index="alarm" sourcetype="DATAcombined" |streamstats avg(alarmcount) as average stdev(alarmcount) as standarddev |eval threeSigmaLimit = (average  + (standarddev  * 3)) | where 'alarmcount' > 'threeSigmaLimit' | table _time alarmcount index2 threeSigmaLimit average standarddev

Specifically, I've added single-quotes around the two variables in the where, changed the name of stdev and avg to non-keywords, and added extra fields to the display.

What I want to see is if a) the problem goes away (because of the quotes now) and if it doesn't, what are the values of average and standarddev when it is wrong?

If it goes away, I expect it's the quotes - try changing one thing at a time back and see if we can narrow down just what the problem is.

0 Karma
Reply

marvinlee93
Explorer
‎12-02-2018 06:06 PM

Hi Rich. I have replied you as a comment below. I've have not really found the reason why the alarm count and index is showing? but I realized that the StandardDev and Average is changing for the same index everytime I refresh the table. It's supposed to be static. I suspect that it might be due to the streamstats command. From my knowledge, the streamstats command should only change the 'LATEST' field value right?

And I realized that, whenever I start a new search, it uses the previous average,3sigmalimit and standarddev VALUE as the initial value and that's when the 'ALARMCOUNT and INDEX2' appears.

Is there a way to prevent this? The initial value of average should only start counting from the 2nd index. and for Standard Deviation, the initial value should only start after the 3rd index.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...