Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find count of empty values in splunk ?

karthi2809
Communicator
‎01-21-2018 09:33 PM

How to find count of empty values in splunk ?

raw events:

threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;

How to find count of TransactionStatus=; for same threadId

Tags (3)
0 Karma
Reply

mayurr98
SplunkTrust
SplunkTrust
‎01-22-2018 11:53 PM

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma
Reply

mayurr98
SplunkTrust
SplunkTrust
‎01-21-2018 10:11 PM

hey you can try something like this

Try this run anywhere search

| makeresults 
| eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=" 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=" ] 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;" ] 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

In your environment, you should write

<your_base_search> 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

let me know if this helps!

Reply

karthi2809
Communicator
‎01-21-2018 11:16 PM

In this how to get count

0 Karma
Reply

mayurr98
SplunkTrust
SplunkTrust
‎01-21-2018 11:26 PM

I have changed my query pls check

also instead of | search TransactionStatus=0 | stats count as "empty transaction status count"
you can also write | stats count(eval(TransactionStatus="0")) as "empty transaction status count"
you will get same results.

let me know if this helps!

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!