Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After calculations in a search, why am I unable to display results using the table command?

chrisboy68
Contributor
‎02-15-2016 01:54 PM

Hi,

This search below is working great....

index=logs AND (sourcetype=eMetrics)  |  JOIN type=outer OrderNumber [ search index=logs AND  LogLevel=ERROR AND ErrorType="BAD_ORDER"  ]  
| stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders  | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30

However, adding the table command does not work. 

index=logs AND (sourcetype=eMetrics)  |  JOIN type=outer OrderNumber [ search index=logs AND  LogLevel=ERROR AND ErrorType="BAD_ORDER"  ]  
| stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders  | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 | table OrderNumber, ErrorMessage

Any ideas? I'm trying to use this as an alert and it will display a table of bad_orders with a few Event fields.

Thank you!

Chris

Tags (3)
0 Karma
Reply

chimell
Motivator
‎02-16-2016 12:54 AM

Hi
Try with 

..................|fields OrderNumber  ErrorMessage
0 Karma
Reply

somesoni2
Revered Legend
‎02-15-2016 03:22 PM

Your stats command is limiting the fields to only the bad_orders and good_orders. The field that you want to show are not available there.

If you can add some sample events and/or describe fields available in both your sources, we can probably suggest you better options (then join).

You can give this a try (just for fun)

index=logs (sourcetype=eMetrics) OR (LogLevel=ERROR AND ErrorType="BAD_ORDER" ) | stats values(Name) as Name, values(ErrorMessage) as ErrorMessage by OrderNumber | eventstats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders  | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 | table OrderNumber, ErrorMessage
0 Karma
Reply

chimell
Motivator
‎02-16-2016 12:35 AM

hi
in your query i can not see ErrorMessage field where it is?

0 Karma
Reply

somesoni2
Revered Legend
‎02-16-2016 05:25 AM

Its the second field in the stats.

0 Karma
Reply

chrisboy68
Contributor
‎02-16-2016 06:43 AM

Thanks for your response. Ok, so I got rid of the Join and saw you used Eventstats so I gave the below a try.

index=logs  AND (sourcetype=Metrics  OR  (LogLevel=ERROR AND ErrorType="BAD_ORDER" ))  
| eventstats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders  | eval percent_bad=100*bad_orders/good_orders |  where percent_bad > 20 |search ErrorType="BAD_ORDER", OrderNumber != NULL | table percent_bad, _time ,OrderNumber, ErrorMessage, ErrorMessage2

Seems like its working, I'll need to analyse more to see if the calculations are correct. If there is a better way, please share!

Thanks for your help!

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...