Re: Field alias showing improper count - splunk 4....

rakesh_498115 · ‎06-07-2013

Hi ,

I have two field extractions like the below ones in my props.conf file.now i have created an alias for these two extractions as Product i.e

[productinfo]
EXTRACT-t2r_b2b_prodID = ServiceType>(?<t2r_b2b_prodID>[^<]*)<
EXTRACT-b2b_prodID = (?<=SellersItemIdentification).*?\s*\<.*?ID\>(?<b2b_prodID>[^<]*)\<
FIELDALIAS-prodID = b2b_prodID AS Product t2r_b2b_prodID AS Product

// query1
sourcetype="productinfo" | top b2b_prodID

is having 10 products info

// query2
sourcetype="productinfo" | top t2r_b2b_prodID

is having 5 products info

but wen i run
//query 3
sourcetype="productinfo" | top Product

it should show 15 products info and count should match.. but this not matching.. can any one help wats been wrong here ..pls

lpolo · ‎06-07-2013

Try this:

sourcetype="productinfo" | top limit=0 Product

rakesh_498115 · ‎06-07-2013

yeah tried that . its not problem with the query .its problem with the count ...say in my first query i am getting a product A with count 100 and in second query i am A count 50 , then ideally in third query A count should be 150 but it is not... 😞

dsrvern · ‎11-02-2017

Hi rakesh,

I'm seeing the same problem with field aliases. Did you ever find a solution to this issue?

Field alias showing improper count - splunk 4.3.2 ??

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases