https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623064#M216609 <P>That did it! Thank you. I thought I tried that before but guess not.</P> Fri, 02 Dec 2022 19:59:51 GMT ChadW 2022-12-02T19:59:51Z https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623044#M216602 <P>My query:</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count as total, count(eval(connectError==true)) as errors</FONT></P> <P>If I run this, "errors" always returns 0. However, if I run</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count by connectError</FONT></P> <P>connectError properly returns the set of values in each bucket of connectError.</P> <P>My dataset will sometimes contain the object "details.error". I tried fillnull to resolve this but that didn't work.</P> <P>If I look at the Events data for the first or second query, I do see "connectError" in the "Interesting Fields" list on the left hand side.</P> <P><span class="lia-unicode-emoji" title=":question_mark:">❓</span>How do I get the first query to work whereby I can get errors and total errors? I want to follow it up with |eval percentErrors=errors/total but I first need to get the stats to work properly.</P> Fri, 02 Dec 2022 16:09:04 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623044#M216602 ChadW 2022-12-02T16:09:04Z https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623051#M216604 <P>The count eval is comparing to a non-existent field called 'true' not to the string "true" so it never matches, hence the count of zero - try it this way</P><LI-CODE lang="markup">index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value="false" connectError | dedup visitId | stats count as total, count(eval(connectError=="true")) as errors</LI-CODE> Fri, 02 Dec 2022 16:53:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623051#M216604 ITWhisperer 2022-12-02T16:53:48Z https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623064#M216609 <P>That did it! Thank you. I thought I tried that before but guess not.</P> Fri, 02 Dec 2022 19:59:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623064#M216609 ChadW 2022-12-02T19:59:51Z https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623065#M216610 <P>One disparate question around something I never understood. Why do I need to create an spath for this to work? In other words, instead of</P><P><FONT face="courier new,courier">count(eval(connectError=="true"))</FONT></P><P>why can't I just do</P><P><FONT face="courier new,courier">count(eval(details.error.connectionError=="true"))</FONT></P> Fri, 02 Dec 2022 20:02:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-stats-count-eval-always-returns-zero-when-partial-non/m-p/623065#M216610 ChadW 2022-12-02T20:02:21Z