Why isn't this query working for me (using stats, ...

rbednark · ‎06-26-2019

The following query is not working for me:

message.meta.service=foo
| stats 
    count(eval(message.meta.route="/foobar/publish")) as publishes

It always results in publishes being 0, when it should be greater than 0 (e.g., 55).

Doing a query of just:
message.meta.route="/foobar/publish"
returns multiple events (e.g., 55), but wh

woodcock · ‎06-29-2019

Try this:

 index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND message.meta.service=foo
| stats count(eval('message.meta.route'="/foobar/publish")) AS publishes

You must encapsulate the field name in single-quotes because it contains periods.

gkolstad · ‎06-26-2019

Working with rbednark we discovered that renaming the variable allowed the eval and count to work as expected.
Can't use . in an eval comparison I guess?

message.meta.service=foo
| rename message.meta.route as route
| stats 
count(eval(route="/foobar/publish")) as publishes

somesoni2 · ‎06-26-2019

Try this (fields with special characters in its name should be enclosed in single quotes when used in expressions of eval/where)

 message.meta.service=foo
 | stats 
     count(eval('message.meta.route'="/foobar/publish")) as publishes

gkolstad · ‎06-26-2019

Renaming the variable allowed it to work.

message.meta.service=foo
| rename message.meta.route as route
 | stats 
     count(eval(route="/foobar/publish")) as publishes

Why isn't this query working for me (using stats, eval, count)

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!