How to find count of empty values in splunk ?

karthi2809 · ‎01-21-2018

raw events:

threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=
threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;

How to find count of TransactionStatus=; for same threadId

mayurr98 · ‎01-22-2018

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

mayurr98 · ‎01-21-2018

hey you can try something like this

Try this run anywhere search

| makeresults 
| eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=" 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=start;ErrorCode=;ErrorMessage=" ] 
| append 
    [| makeresults 
    | eval _raw="threadId = 2695;StartTime=2017.11.12.16.50.36.036;EndTime=; Poller;EntityID=409M5585440; TransactionStatus=;ErrorCode=;ErrorMessage=60663a012118;Poller;EntityID=488M6027140;" ] 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

In your environment, you should write

<your_base_search> 
| rex "TransactionStatus=(?<TransactionStatus>[^\;]+)" 
| fillnull TransactionStatus value=0 
| search TransactionStatus=0 | stats count as "empty transaction status count"

let me know if this helps!

karthi2809 · ‎01-21-2018

In this how to get count

mayurr98 · ‎01-21-2018

I have changed my query pls check

also instead of | search TransactionStatus=0 | stats count as "empty transaction status count"
you can also write | stats count(eval(TransactionStatus="0")) as "empty transaction status count"
you will get same results.

let me know if this helps!

How to find count of empty values in splunk ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?