Splunk Search

Why are certain events not showing in '| stats count' output?

agoktas
Communicator

Hello,

The following search:

index=app_win source=service State=Stopped StartMode (Auto OR Manual) Name=*IBM* OR Description=*IBM* OR DisplayName=*IBM* | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

does not show some events.

Here is an example of one that shows up just fine:

Type=Service 
Name="IBMWAS70Service - TOS_Server_Server01" 
DisplayName="IBM WebSphere Application Server V7.0 - TOS_Server_Server01" 
Description="Controls the running of an IBM WebSphere Application Server V7.0 server named: TOS_Server_Server01" 
Path=""C:\vol\data\IBM\WebSphere\AppServer-V70\bin\wasservice.exe" "IBMWAS70Service - TOS_Server_Server01"" 
ServiceType="Own Process" 
StartMode="Manual" 
Started=false 
State="Stopped" 
Status="OK" 
ProcessId=0
host = server01
source = service
sourcetype = WinHostMon

Here is an example of one that does NOT show up in the | stats output:

Type=Service 
Name="MailService" 
DisplayName="IBM Rational ClearQuest Mail Service" 
Description= 
Path=""C:\Program Files (x86)\IBM\RationalSDLC\ClearQuest\mailservice.exe"" 
ServiceType="Own Process" 
StartMode="Auto" 
Started=false 
State="Stopped" 
Status="OK" 
ProcessId=0
host = server02
source = service
sourcetype = WinHostMon

Any ideas?

Perhaps something to do with the description being blank? Why would that matter (especially when using an OR operator)?

Thanks!

0 Karma
1 Solution

agoktas
Communicator

I found the answer (Thanks to Splunk Support staff):

When the stats is used for multiple column, it will only consider the rows that values for all of the fields listed in "by" part of stats

To pull all rows you need to use fillnull option as covered in http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Fillnull

All you need to do with add
| fillnull value=NULL

View solution in original post

agoktas
Communicator

I found the answer (Thanks to Splunk Support staff):

When the stats is used for multiple column, it will only consider the rows that values for all of the fields listed in "by" part of stats

To pull all rows you need to use fillnull option as covered in http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Fillnull

All you need to do with add
| fillnull value=NULL

ramdaspr
Contributor
index=app_win source=service State=Stopped StartMode (Auto OR Manual) (Name="*IBM*" OR Description="*IBM*" OR DisplayName="*IBM*") | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

Try with the or's bracketed.

0 Karma

agoktas
Communicator

Do you mean in parenthesis?

I tried your example and get the same results.

Any other ideas?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...