Hello,
Here is my search:
index=app_win source=service State=Stopped StartMode (Auto OR Manual)
Name (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*) OR
Description (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*) OR
DisplayName (*IBM* OR *CollabNet* OR *SVN* OR *Kofax* OR *QAS* OR *FLEXLm*)
NOT (Description=*Collec* OR *EnvAdmin*) | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"
Most of the results show up in my table output, but some of the results do not (FTR... ALL results DO show up in the raw search results, so we are 100% sure it is picking up that data. It simply doesn't want to graph it as part of the 'chart' output).
Any ideas why?
Example of the raw data of one that does NOT show:
Type=Service
Name="MailService"
DisplayName="IBM Rational ClearQuest Mail Service"
Description=
Path=""C:\Program Files (x86)\IBM\RationalSDLC\ClearQuest\mailservice.exe""
ServiceType="Own Process"
StartMode="Auto"
Started=false
State="Stopped"
Status="OK"
ProcessId=0
Collapse
host =
source = service
sourcetype = WinHostMon
Example of one that DOES show:
Type=Service
Name="IBMWAS70Service - ContentEngine"
DisplayName="IBM WebSphere Application Server V7.0 - ContentEngine"
Description="Controls the running of an IBM WebSphere Application Server V7.0 server named: FileNet_Server_1_CE-"
Path=""C:\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS70Service - ContentEngine"" ServiceType="Own Process" StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0
Collapse
host =
source = service
sourcetype = WinHostMon
Thanks!
In your search, you're grouping by "DisplayName StartMode host Description".
I imagine you removed the "host" value to place the question here right? But if look closely, the first event doesn't have a "Description" value, and "stats" will simply ignore the event. The work around might be just adding a fillnull
command before the stats, like this:
your_search | fillnull DisplayName StartMode host Description | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"
The fill null will populate with "0" by default, but you could change to any value, like fillnull -value "Not present" fieldName
. Hope it helps!
Cheers,
Mike
In your search, you're grouping by "DisplayName StartMode host Description".
I imagine you removed the "host" value to place the question here right? But if look closely, the first event doesn't have a "Description" value, and "stats" will simply ignore the event. The work around might be just adding a fillnull
command before the stats, like this:
your_search | fillnull DisplayName StartMode host Description | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"
The fill null will populate with "0" by default, but you could change to any value, like fillnull -value "Not present" fieldName
. Hope it helps!
Cheers,
Mike
I agree this is the likely problem. You could readily validate by enabling to show the Description field in the event listing, and seeing if it is present on that event.
Yeppers! Thank you so much.
Yes, I simply added...
| fillnull value=NULL |
and all is now good.
Here is a search example:
index=app_win source=service State=Stopped StartMode (Auto OR Manual)
Name (IBM OR VW OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
Description (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
DisplayName (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm)
| fillnull value=NULL | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"
I noticed that the ones that don't show up in the stats output table are ones that do not have a description.
Can anyone explain why this happens, and what I should correct?
Thanks!