stats count which dont returns the same number of ...

jip31 · ‎02-11-2019

hi

I use two request which normally have to count the same number of events

the first is :
| eventtype=Periph
| dedup host
| stats count

For these one I have 106 events

the second is :
For this one I have less events
I think it's due to the fact that when i execute the query some lines are empty or sometimes there is the build and not the OS and sometimes there is the OS and not the build (see attachment)

eventtype=Periph OR eventtype=OSBuild
| eval OS=if(key_path=="\registry\machine\software\wow6432node\x\master\WindowsVersion",data, null),
Build=if(key_path=="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId",data,null)
| stats values(OS) as OS values(Build) as Build by host
| stats dc(host) as host by OS, Build
| sort -OS, Build limit=5

So what I have to do in order to have the same stats count in the second query that in the first query please???

lakshman239 · ‎02-11-2019

did you check using fillnull? [ assuming you are running on the same time window]

| eventtype=Periph
| fillnull value="N/A" host
| stats dc(host)

eventtype=Periph OR eventtype=OSBuild
| eval OS=if(key_path=="\registry\machine\software\wow6432node\x\master\WindowsVersion",data, null),
Build=if(key_path=="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId",data,null)
|fillnull value="N/A" OS, Build
| stats values(OS) as OS values(Build) as Build by host
| stats dc(host) as host_count by OS, Build | addcoltotals

stats count which dont returns the same number of events between 2 different query

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms