Solved: Table not populating all results in a column

sheloaha · ‎01-09-2018

I am trying to create a dashboard panel that shows errors received. I am using a field alias to rename three fields to "error" to show all instances of errors received. Due to the nature of the log I could not get my field extraction to work on all errors in one pass, hence the use of field alias. My "error" column is not displaying all results. I have tried using "fields" to pass over the required data but nothing is working. This is my search:

index=myindex sourcetype=mysourcetype error | fields _time,xxx_xxxx_xxx,call_error,conID_not_found,val_error,error | table _time xxx_xxxx_xxx error

And this is the result I get:

_time XXX_XXXX_XXX error
2017-10-25T11:25:53.978-0400 xxxxxxxxxxxxxxxxxxx getUser Account web service:
2017-10-25T09:35:31.794-0400 xxxxxxxxxxxxxxxxxxx getUser Account web service:
2017-10-18T22:13:18.870-0400 xxxxxxxxxxxxxxxxxxx Missing "Jurisdiction" parameter
2017-10-18T21:57:11.458-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T21:57:02.833-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T21:56:52.036-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T21:55:35.535-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T13:38:03.157-0400 xxxxxxxxxxxxxxxxxxx Missing "Request Received Date" parameter
2017-10-18T12:24:24.826-0400 xxxxxxxxxxxxxxxxxxx Missing "Request Received Date" parameter
2017-10-18T05:25:05.793-0400 xxxxxxxxxxxxxxxxxxx Missing "Jurisdiction" parameter
2017-10-18T05:01:58.696-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T05:00:57.618-0400 xxxxxxxxxxxxxxxxxxx
2017-10-18T05:00:04.759-0400 xxxxxxxxxxxxxxxxxxx
2017-10-17T10:29:31.938-0400 xxxxxxxxxxxxxxxxxxx Missing "Request Received Date" parameter
2017-10-16T13:06:25.353-0400 xxxxxxxxxxxxxxxxxxx "Contract Number" has exceeded its character length of "50"

Why am I missing results in the error column. They exist in the events panel.

somesoni2 · ‎01-09-2018

Try like this.

index=myindex sourcetype=mysourcetype error | fields _time,xxx_xxxx_xxx,call_error,conID_not_found,val_error,error | eval error=coalesce(error,call_error,conID_not_found,val_error) | table _time xxx_xxxx_xxx error

As you said, due to complexity of field extraction, different errors are captured in different field names. You'd use coalesce function to merge (taking the first available value) those error fields (assuming only one type of error happens in an event).

View solution in original post

sheloaha · ‎01-12-2018

I was able to experiment further with coalesce and get this working. I had an issue with one of the field extractions.

somesoni2 · ‎01-09-2018

Try like this.

index=myindex sourcetype=mysourcetype error | fields _time,xxx_xxxx_xxx,call_error,conID_not_found,val_error,error | eval error=coalesce(error,call_error,conID_not_found,val_error) | table _time xxx_xxxx_xxx error

As you said, due to complexity of field extraction, different errors are captured in different field names. You'd use coalesce function to merge (taking the first available value) those error fields (assuming only one type of error happens in an event).

sheloaha · ‎01-10-2018

I am still getting blank fields in the "error" column when I try that.

somesoni2 · ‎01-10-2018

What do you get when you run this?

index=myindex sourcetype=mysourcetype error | table _time,xxx_xxxx_xxx,call_error,conID_not_found,val_error,error

Table not populating all results in a column

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...