Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The stats command isn't returning any results?

mperren
Engager
‎02-11-2014 09:50 AM

I have the following splunk query:

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count(vcbn) by error

but for whatever reason the stats count(vcbn) by error isn't generating any results.

Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.

The search itself returns 170 events.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-11-2014 11:37 AM 
search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count by vcbn
0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎02-11-2014 10:39 AM

please provide some sample log entries and the portion which have to be extracted as vcbn.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:47 AM

Try 'stats count(vcbn)'. Since your search is only returning a single value, there is no grouping and so no use for a by clause.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-11-2014 10:46 AM

what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn

rex "^.*(?Value cannot be null.)$" | stats count(vcbn) by vcbn

0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:37 AM

@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:31 AM

I thought that might be the case. The field argument to the rex command tells rex what field to parse. Results are put into fields created by the '?<vcbn>' construct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:16 AM

I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...