Archive
Highlighted

How to find count of empty values in splunk ?

Communicator

How to find count of empty values in splunk ?

raw events:

threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;

How to find count of TransactionStatus=; for same threadId

Tags (3)
0 Karma
Highlighted

Re: How to find count of empty values in splunk ?

SplunkTrust
SplunkTrust

hey you can try something like this

Try this run anywhere search

| makeresults 
| eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=" 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=" ] 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;" ] 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

In your environment, you should write

<your_base_search> 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

let me know if this helps!

Highlighted

Re: How to find count of empty values in splunk ?

Communicator

In this how to get count

0 Karma
Highlighted

Re: How to find count of empty values in splunk ?

SplunkTrust
SplunkTrust

I have changed my query pls check

also instead of | search TransactionStatus=0 | stats count as "empty transaction status count"
you can also write | stats count(eval(TransactionStatus="0")) as "empty transaction status count"
you will get same results.

let me know if this helps!

0 Karma
Highlighted

Re: How to find count of empty values in splunk ?

SplunkTrust
SplunkTrust

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma