Splunk search issue

0
votes

I have a search query like below. 

index = abc_dev sourcetype = data RequestorSystem = * Description="Request Receieved from Consumer Service" 
  OR Description="Total Time taken in sending response"
| dedup TId
| eval InBoundCount=if(Description="Request Receieved from Consumer Service",1,0)
| eval OutBoundCount=if(Description="Total Time taken in sending response",1,0)
| stats sum(InBoundCount) as "Inbound Count",sum(OutBoundCount) as "Outbound Count"

I am not sure why inbound count is always showing as 0, outbound count works perfectly

1
splunk
Can you please share few sample events?kamlesh vaghela

1 Answers

1
votes

There is a typo in your eval InBoundCount=... Received is spelled wrong, and if your events have it spelled correctly it won't match!

If that's not the case:

  1. try running the query for both counts separately and make sure you are getting events. Also, posting some example input events will make our answer be more precise.

  2. Splunk queries are joined by an implicit AND which means that your OR needs to either be included in parenthesis or (if you are using Splunk 6.6 or newer) use the IN keyword like so:

    index = abc_dev sourcetype = data RequestorSystem = * Description IN ("Request Receieved from Consumer Service", "Total Time taken in sending response")

Using IN is more portable in case you want add other strings later on. With some tweaks, you could even use a variation of stats count by Description with this.