CODEWITHSUNDEEP
splunksplunk-dashboard
Janardan Kelkar
Janardan Kelkar

Reputation: 170

Using stats with a base query

I am building a dashboard that uses a base query and then several panels use that query to display some data. A few of my panels do not show anything (No Result Found) . All of the panels that dont show any data use stats function. Here is my dashboard code -

  <label>ZZ_Test</label>
  <description>Test Playground</description>
  <search id="mainData">
    <query>
    index="mydata"| eventstats  max(_time) as maxTimestamp| where _time=maxTimestamp| search businessGroup IN ("*")
  </query>
    <earliest>$timeToken.earliest$</earliest>
    <latest>$timeToken.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="timeToken">
      <label>timeToken</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Total1</title>
        <search base="mainData">
          <query>stats sum("objects{}.count") as "Total"</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
      <single>
        <title>Total2</title>
        <search base="mainData">
          <query>spath path="objects{}.count" output="Total"</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</form>

Here are a couple of sample events -

[{
            "businessGroup": "Sample1",
            "objects": [
                {
                    "count": 5
                }
            ]
        },
        {
            "businessGroup": "Sample2",
            "objects": [
                {
                    "count": 54
                }
            ]
        }
    ]

When i view this dashboard, i see Total2 populated, but Total1 shows no results found.

What am i missing ?

Upvotes: 0

Views: 320

Answers (1)

RichG
RichG

Reputation: 9936

I suspect the stats command doesn't like field names in object format. Try renaming them to something simpler first.

<query>| rename "objects{}.count" as count | stats sum(count) as "Total"</query>

[EDIT] Second suggestion. The "Total1" panel does not contain an spath command, unlike panel "Total2". Without spath the field being counted probably doesn't exist.

Upvotes: 2

Related Questions