Hi Guys,
I am facing a strange problem with streamstats command. Below is my search snippet. There are "blank" values for column e. I can see those "blank" values in e1. But after streamstats function, i do not see those "blank" values in field e2 but i can see all other values except "blank'. Can anyone help me to solve this problem? why can't I see "blank" values in e2?
index=*|.....| table a b c d e|fillnull value=blank d e | where e>c OR e="blank"| stats list(e) as e1 by c | streamstats list(e1) as e2
| tail 2
Thanks in advance.
Your code should be working fine, if you have data that matches. Here's a run-anywhere sample that demonstrates it, and below is a line-by-line analysis...
| makeresults count=10 | streamstats count as recno
| eval c = case(recno>2 AND recno<6,2, recno>7 AND recno<11,5)
| eval e = case(recno==2 OR recno==4 OR recno==7 OR recno==9,1, recno==5, 3, recno==10,8)
| table a b c d e
| fillnull value=blank d e
| where e>c OR e="blank"
| stats values(d) list(e) as e1 by c
| streamstats list(e1) as e2
Okay, this is a basic programming problem. Let's start by eliminating everything that can't be it.
Variables a
, b
and d
have no effect on the result, so we can eliminate them from the code. Only the values in c
and e
matter.
c has two possible values, null or a number.
e has three possible values, null, a number lower than c, or a number higher than c.
Let's make a table...
CASE c e
1 NULL NULL
2 NULL 1
3 2 NULL
4 2 1
5 2 3
Now, after this code, what do we have?
|table c e|fillnull value=blank e
CASE c e
1 NULL blank
2 NULL 1
3 2 blank
4 2 1
5 2 3
And after this code?
| where e>c OR e="blank"
CASE c e
1 NULL blank
3 2 blank
5 2 3
After this code?
| stats list(e) as e1 by c
c e1
2 blank
3
Note that the above gives us a single record, but you will have one for each value of c. Let's assume you had a second set with c=5
whose values included blank
and 8
.
| streamstats list(e1) as e2
c e1 e2
2 blank blank
3 3
5 blank blank
8 3
blank
8
And this code does not display the issues you were asking about. From that, we can assume that the problem is something having to do with the data, or that your code example does not do exactly what your live code does.