Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval fields not making it to Summary index when stats is used.

richard_whiffen
Explorer
‎11-19-2010 06:30 PM

I'm still sifting through the 'realated questsions' proposed in "Ask a Question" (great feature btw), but I don't think my senario is covered.

I have a search set to run every 24 hours to sumarize the previous 24 hours stats.

host="HOSTSBLAH*"  (source="/usr/local/tvs/apache-tomcat/logs/qlogger/*" NOT source="*.gz") 
| lookup Market_by_Controller_ID Controller_ID as Controller_ID OUTPUT Market as Market 
| eval QueryFirstTwo=substr(TextQuery,1,2) 
| transaction MAC, QueryFirstTwo maxspan=5m maxpause=1m delim="," mvlist=TextQuery 
| eval LastQuery=mvindex(TextQuery, -1) 
| fillnull value=0 forward
| eval MAC="salt".MAC 
| eval MAC=md5(MAC) 
| stats count(LastQuery) by Market, Controller_ID, StreamingServerID, forward 
| fields count LastQuery, Controller_ID StreamingServerID Market forward MAC 
| collect addtime=true index=dashboard_summarize

Data is getting into the index, but none of the fields that have been 'EVAL'ed at some stage. So in this example, LastQuery, forward and MAC are NULL in the summary index. If I take the stats stanza out, the data is collected. It seems odd/bug-like to me that STATS would some how null out EVAL'ed fields.

I've taken the stats stanza out and am moving on with my life. I'll generate the stats in a separate query, but again, I'm puzzled why they'd be NULL in the summary. Are there other cases like this that I need to watch out for?

Cheers, Rich

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2010 07:56 PM

It is not a bug, but is how stats is intended to work. The only things to come out after stats are the actual stats you ask for, aggregated by the by fields, so it will be exactly those fields. stats does not keep any other values because it is not otherwise told how to aggregate them (i.e., what to do with multiple values per by field combination). I'm guessing what you need is just ... | stats first(MAC) as MAC ... but whether that's correct or not depends on your data.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2010 07:56 PM

It is not a bug, but is how stats is intended to work. The only things to come out after stats are the actual stats you ask for, aggregated by the by fields, so it will be exactly those fields. stats does not keep any other values because it is not otherwise told how to aggregate them (i.e., what to do with multiple values per by field combination). I'm guessing what you need is just ... | stats first(MAC) as MAC ... but whether that's correct or not depends on your data.

Reply
Solved! Jump to solution

richard_whiffen
Explorer
‎11-19-2010 09:54 PM

Yeah, I found my mistake by adding and removing stanzas and then talking with Chris Olson from Splunk. In hind sight its obvious but didn't click when I was looking at it the last two days. I think what tripped me up the most is that 'LastQuery' wasn't going through and it was in the stats command, but was in the stats command (but as a count not the actual value DOH!). Anyway, Chris set me on the same path. Thanks gkanapathy

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...