Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The stats command isn't returning any results?

mperren
Engager
‎02-11-2014 09:50 AM

I have the following splunk query:

search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count(vcbn) by error

but for whatever reason the stats count(vcbn) by error isn't generating any results.

Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$" isn't building a new field in the list on the left of the event search results.

The search itself returns 170 events.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-11-2014 11:37 AM 
search (...) AND ERROR
    | rex field=error "^.*(?<vcbn>Value cannot be null.)$"
    | stats count by vcbn
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-11-2014 10:39 AM

please provide some sample log entries and the portion which have to be extracted as vcbn.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:14 AM

Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:47 AM

Try 'stats count(vcbn)'. Since your search is only returning a single value, there is no grouping and so no use for a by clause.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-11-2014 10:46 AM

what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn

rex "^.*(?Value cannot be null.)$" | stats count(vcbn) by vcbn

0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:37 AM

@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2014 10:31 AM

I thought that might be the case. The field argument to the rex command tells rex what field to parse. Results are put into fields created by the '?<vcbn>' construct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mperren
Engager
‎02-11-2014 10:16 AM

I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...