topic Re: count value not returning in Splunk Search

count value not returning

kiran007 — Wed, 19 Jan 2022 14:29:29 GMT

Hi,

I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request.

Please see the attachments to get more insights.

Image1 :- Gives total count of book appointment request count.

Image2 :- Unable to get Request count from the total book appointments.

Image3 :- Example of Successfully getting results.

Please help me to resolve this.

Re: count value not returning

richgalloway — Wed, 19 Jan 2022 14:35:32 GMT

Two thoughts.

1) Try 'data.msg' similar to what is done in Image 3.

2) Try renaming data.msg.

... | rename "data.msg" as msg | stats ... eval(msg="...") as response

Re: count value not returning

kiran007 — Wed, 19 Jan 2022 14:43:46 GMT

Thanks @richgalloway for quick response. I tried both but no luck.

Please see attachment.

Re: count value not returning

kiran007 — Wed, 19 Jan 2022 14:53:58 GMT

Getting Individual Book Appointment Response count, but not getting bookappointmentresponse count from *bookappointment*

Re: count value not returning

richgalloway — Wed, 19 Jan 2022 16:57:50 GMT

I think I see the problem. Splunk looks at "*bookappointment*" as a literal string whereas you're probably expecting the asterisks to be treated as wildcards. To find a string within a string, use either the like or match function.

| stats ..., sum(eval(like(msg, "%bookappointment%"))) as response

| stats ..., sum(eval(match(msg, "bookappointment"))) as response

Notice I changed the count function to sum. That's because count will include all of the 1's and 0's returned by eval, giving the same result regardless of the value of msg. The sum function, however, effectively counts only 1's.

Re: count value not returning

kiran007 — Wed, 19 Jan 2022 17:36:16 GMT

Thanks @richgalloway it worked....👍