All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Values from lookup are not displaying after using timechart, chart, or stats.

pratapbhanu2047
Engager
‎06-14-2018 02:58 AM

Hello,

I am not sure where i committing mistake, the Below SPL, does display all counter and the values. when i use max* in table but it does not show the values from my lookup files.(i.e : type environment sub_system)

index=n_*_1* collection="*" host=* collection="Host*" source="perfmon:Host*" AND source!="Perfmon:Host Process" | lookup lookup_list_host host output type environment sub_system | eval Value=round(Value) | eval my{counter}=Value | bin span=5min _time |stats max(my*) by _time |table _time type environment sub_system max*

the whole point is aggregating counter and its values(which i did by using eval my{counter}=Value) every 5min and displaying the result as in table format (i.e : table _time type environment sub_system max*) so that i can use this data to work further on building machine learning models.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-14-2018 12:58 PM

stats is a consuming command - it will only output what you've specifically told it to output. All the rest of the stuff that it receives as input is gone after it. So when you run stats max(my*) by _time, the only fields that will be available after that are _time (because you're splitting by it) and all the my* fields (because you're running max() on them).

If you want to perform the stats calculations but not consume all other input, use eventstats instead. It will do the same thing but instead just write its results to the specified fields and leave the rest of the available data as-is.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-14-2018 12:58 PM

stats is a consuming command - it will only output what you've specifically told it to output. All the rest of the stuff that it receives as input is gone after it. So when you run stats max(my*) by _time, the only fields that will be available after that are _time (because you're splitting by it) and all the my* fields (because you're running max() on them).

If you want to perform the stats calculations but not consume all other input, use eventstats instead. It will do the same thing but instead just write its results to the specified fields and leave the rest of the available data as-is.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-14-2018 01:57 PM

Or include them in by clause of your stats.

0 Karma
Reply
Solved! Jump to solution

pratapbhanu2047
Engager
‎06-14-2018 10:21 PM

@Ayn & @somesoni2, thanks for response, yes i followed the same and its working. I have added other field in by clause of stats.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...