I have the two separate queries that I could like to combine into on query without using event types. How can I do this as one query?
query 1:
source=....."labelData= " | stats count
query 2:
source=..... lableData!="" | stats count
ACTUAL LOGS:
// NO MATCH [2014-02-18 10:21:53,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO - MyClass - Parsed info: labelData= labelDataValue= matchedLocale= textLength=2636
// MATCH [2014-02-18 10:24:52,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO - MyClass - Parsed info: labelData=EN_US labelDataValue=1 matchedLocale= textLength=2636
Try this (assuming labelData is an extracted field for you and both query uses same source)
source=yoursource | stats count(eval(isnull(labelData))) as CountBlank, count(eval(isnotnull(labelData))) as CountValues
OR (in case upper one doesn't work)
source=yoursource | stats count(eval(labelData="")) as CountBlank, count(eval(labelData!="") as CountValues
source=yoursource | stats count(eval(len(labelData)=0)) as CountBlank, count(eval(len(labelData)!=0)) as CountValues
This should work (work around)
source=yoursource "labelData= " | stats count as CountBlank | appendcols [search source=yoursource lableData!="" | stats count as CountValues]
Try this (assuming labelData is an extracted field for you and both query uses same source)
source=yoursource | stats count(eval(isnull(labelData))) as CountBlank, count(eval(isnotnull(labelData))) as CountValues
OR (in case upper one doesn't work)
source=yoursource | stats count(eval(labelData="")) as CountBlank, count(eval(labelData!="") as CountValues
source=yoursource | stats count(eval(len(labelData)=0)) as CountBlank, count(eval(len(labelData)!=0)) as CountValues
This should work (work around)
source=yoursource "labelData= " | stats count as CountBlank | appendcols [search source=yoursource lableData!="" | stats count as CountValues]
one last ask, how can I get them as separate rows so that I can put them in a pie chart for display? i tried append but no go
That last workaround worked. Not sure why the others aren't working. It's bizarre. Thanks for not giving up on me. 😃 Thanks again!
I can understand your frustration, I have got Splunk- slapped many times. Try the updated options which definitely should work (provided your individual queries were working).
updated logs...i can't figure out this one for the life of me. i tried your update . the second part works fine. the blank ones doesn't. what is the deal with splunk and having issues matching "log msg labelData= " as opposed to "log msg labelData=EN_US"? i can' figure out why splunk messes this up? i have triple checked everything on my side.
It seems a blank "" is getting assigned instead on NULL which I was thinking. Try the option 3 I provided, should work based on observations your provided.
the first query isn't working either. the section count(eval(isnull(matchedParsePatterns)))
brings back all instances (matches and n0 matches) i.e. labelData= as well as labelData=somevalue
Since all records will either have labelData="" or labelDate!="", so one work around will be:
source=yoursource | stats count as Total count(eval(isnotnull(labelData))) as CountValues | eval CountBlank=Total-CountValues | fields - Total
Did you try both the options that I provided? especially the first one?
cool. thanks for the reply. i was able to get second part of your query to work. however, the first part doesn't work. please see my updates on how things are getting logged. for some reason I can't match misses like labelData="". instead I have to match "labelData= " but that was only working for my original query. if I put that into the first part of your query it wont' work for some reason