Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Adding Empty JSON Array Count To Chart

samkass
New Member
‎12-12-2017 07:15 AM

Below, I have a chart being created which is supposed to show how many times we see each tag we find in a "tags" array in JSON with spath, and chart the names of the tags alongside the count for that tag. However, I'd also like an entry in the chart that displays a count of all the hits that had no tags.

(my query) | spath input=_raw output=tags path=tags{} | chart count over tags

I found several "splunk>answers" questions with a solution to counting array size, and can even, using a slightly different query, chart the tag count for each record. But I can't figure out how to:
1. count the empty tags in a way that assigns it to some variable, and
2. chart that variable with a "NONE" title alongsize all the other tag counts

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎11-11-2018 09:27 PM

Do this after your spath and before chart.

| eval tags=coalesce(tags,"NONE")
0 Karma
Reply

DalJeanis
Legend
‎12-12-2017 12:38 PM

Can you post a non-confidential sample event?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...