topic Re: Get count of how how many of a field has a true value. in Splunk Search

Get count of how how many of a field has a true value.

alakhotia — Wed, 18 Oct 2023 17:20:02 GMT

I have a response that looks like this:

{"meta":{"code":400},"flag1":false,"flag2":false,"flag3":true}

There are more than 3 flags, but this is an example.

Assuming that there is only one that is true in each response, I want to get a count of which flag is true the most times, in descending order.

Re: Get count of how how many of a field has a true value.

yuanliu — Wed, 18 Oct 2023 18:41:06 GMT

Something like

| foreach flag* [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag

The wildcard expression will depend on actual field names. (Worst comes you iterate over non-flag fields; alternatively, you enumerate all possible flags.) See foreach.

Re: Get count of how how many of a field has a true value.

alakhotia — Wed, 18 Oct 2023 18:55:17 GMT

Thanks. My response object is extracted to responseJson.

How do I iterate over any possible field name in responseJson? What am I doing wrong below?

| eval responseJson='loggingObject.responseJson'
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Re: Get count of how how many of a field has a true value.

yuanliu — Wed, 18 Oct 2023 20:56:31 GMT

Do you mean to say that Splunk gives you a field named 'loggingObject.responseJson' with that JSON object as value? In that case, you need to first extract from JSON with spath. (A newer alternative is fromjson.)

| spath input=loggingObject.responseJson | foreach flag* [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag

Here is an emulation you can play with and compare with real data

| makeresults | fields - _time | eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true}" ``` data emulation above ```

Re: Get count of how how many of a field has a true value.

alakhotia — Wed, 18 Oct 2023 22:24:53 GMT

Thanks.

When I hardcode data like you've done, and I add escape backslash quotes, it works.

| makeresults | fields - _time | eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true,\"flag3status\":\"3\",\"flag4\":false,\"flag5\":false,\"flag6\":false,\"flag7\":false, \"flag7reason\":\"xyz\"}" | spath input=loggingObject.responseJson | foreach * [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag

When I use my real data results, I do get results, but also some splunk errors:

| eval responseJson='loggingObject.responseJson' | spath input=responseJson | foreach * [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag

Errors:

[shsplnkprnap008,shsplnkprnap009,shsplnkprnap010,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'tag::eventtype' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.className' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.value' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.user-agent' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.x-forwarded-for' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'Device-ID' [shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'valid-beacon-dept-count' [shsplnkprnap009] Failed to parse templatized search for field 'steps{}'

I am able to do something like this without splunk errors;

| eval responseJson='loggingObject.responseJson' | stats count by responseJson

Re: Get count of how how many of a field has a true value.

yuanliu — Thu, 19 Oct 2023 06:18:49 GMT

You should not use foreach *. tag::event is a meta field and foreach will not handle those. It is quite obvious that your data also contain other irrelevant fields. If you know those tag names, enumerate it. (Read the document.)

| foreach flag1 flag2 flag3 ... flagX [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag

Alternatively, you probably do not care about other fields. Remove them so foreach will not be bombed.

| fields loggingObject.responseJson | spath input=loggingObject.responseJson | foreach * [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))] | stats count by trueflag