Why is the count field in this search not being wr...

DerekKing · ‎03-14-2014

Hi,

I'm trying to collect the number of emails with the same subject line into a summary index. Problem is, whilst my search appears to work, the count field is not written. Could anyone tell me where i'm going wrong please ?

Search is
eventtype="cisco_esa" | transaction maxspan=10s maxpause=10s mid icid dcid | search direction=inbound | timechart span=1m limit=1 count by Subject usenull=f useother=f | collect index=summary-idx

All I get is the Subject field (plus the other stuff splunk puts in).

Any help appreciated
Thanks
Derek

linu1988 · ‎03-14-2014

Then use stats rather than timechart..

eventtype="cisco_esa" | transaction maxspan=10s maxpause=10s mid icid dcid | search direction=inbound |bucket _time span=1m| stats count by _time,Subject

DerekKing · ‎03-14-2014

Its the count column i'm trying to get.

martin_mueller · ‎03-14-2014

You don't actually get a column called "count" though, so no field "count" is going to appear in the summary index.

DerekKing · ‎03-14-2014

Yes - I get a table format, with time & subject as columns, and the count in each row.

linu1988 · ‎03-14-2014

before you go for the collection,do you get any result with the sample search?

eventtype="cisco_esa" | transaction maxspan=10s maxpause=10s mid icid dcid | search direction=inbound | timechart span=1m limit=1 count by Subject usenull=f useother=f

Why is the count field in this search not being written?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!