Re: Adding Empty JSON Array Count To Chart

samkass · ‎12-12-2017

Below, I have a chart being created which is supposed to show how many times we see each tag we find in a "tags" array in JSON with spath, and chart the names of the tags alongside the count for that tag. However, I'd also like an entry in the chart that displays a count of all the hits that had no tags.

(my query) | spath input=_raw output=tags path=tags{} | chart count over tags

I found several "splunk>answers" questions with a solution to counting array size, and can even, using a slightly different query, chart the tag count for each record. But I can't figure out how to:
1. count the empty tags in a way that assigns it to some variable, and
2. chart that variable with a "NONE" title alongsize all the other tag counts

DalJeanis · ‎11-11-2018

Do this after your spath and before chart.

| eval tags=coalesce(tags,"NONE")

DalJeanis · ‎12-12-2017

Can you post a non-confidential sample event?

Adding Empty JSON Array Count To Chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation