- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unable to get count when variable names has a "-"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of the queries i'm using has a variable with a "-" and splunk is unable to get me the stats count using the variable.
Example : your search | stats count by Order-Type
Is there a limitation on the variable names to be used in splunk?
Note: I did get the final result by using regex.
Example: your search | rex field=raw "Order-Type=(?[\"A-Z ]+)" | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the answer after talking to a friend. Splunk parsed the field Order-Type as Order_Type(listed in interesting fields of verbose mode).
All i needed to do was "your search | stats count by Order_Type"
Thanks guys!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the answer after talking to a friend. Splunk parsed the field Order-Type as Order_Type(listed in interesting fields of verbose mode).
All i needed to do was "your search | stats count by Order_Type"
Thanks guys!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right!! thats actually true, splunk converts '-' to '_' at the time of ingestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is weird. I can no longer do a stats count by with variables separated by -. I think i was able to do this earlier. Is there something s Splunk admin could do to disable this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this
... rename *-* AS ** ... | stats count by OrderType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did try to replicate the same scenario and for me its working fine without any issues. If you are not getting the desired results using @richgalloway`s response, try creating a new filed for Order-Type using the below command.
|eval OrderType='Order-Type'
|stats count by OrderType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated the example: your search | rex field=raw "Order-Type=(?[\"A-Z ]+)" | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The stats command is probably trying to subtract field 'Type' from field 'Order' and is failing because neither field exists. Try one of the following:
1) ... | stats count by 'Order-Type'
2) ... | rename "Order-Type" as OrderType | stats count by OrderType | rename OrderType as "Order-Type"
3) Use a different field name without a hyphen in it.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have already tried #1 and #2, but that doesn't seem to work. #3 is not an option without a code change and i do not want to take that route.
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
Modern way of developing distributed application using OTel
