Splunk Search

Always got zero for count

hongbo_miao
Path Finder

I am trying to count the requests which `message.logType` is "Outgoing Response".

My query is like

 

index="my_index"
| stats count as total, count(eval(message.logType="Outgoing Response")) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

My logs are like, they do have `message.logType` field.

hongbo_miao_0-1600467638214.png

However, the outgoingCount column is always 0.

hongbo_miao_1-1600467744113.png

I read https://community.splunk.com/t5/Splunk-Search/stats-count-eval-always-returns-zero/m-p/334406

But does not help in my case.

Any idea? Thanks

 

Labels (3)
0 Karma
1 Solution

hongbo_miao
Path Finder

Got some help internally, and it finally works! Really appreciate! Here is the original copy:

---

First issue is that referencing json fields with . notation has some oddities.

The correct syntax would be

 

| stats count(eval('message.logType'="Outgoing Response")) as outgoingCount

 

Next, the

 

| stats <statscmd>(<evalcmd>(<stuff))

 

syntax can be hairy. Instead try:

 

index="my_index"
| eval outgoingCount = if(message.logType="Outgoing Response", 1, 0)
| stats count as total, count(outgoingCount) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

 

 

View solution in original post

0 Karma

hongbo_miao
Path Finder

Got some help internally, and it finally works! Really appreciate! Here is the original copy:

---

First issue is that referencing json fields with . notation has some oddities.

The correct syntax would be

 

| stats count(eval('message.logType'="Outgoing Response")) as outgoingCount

 

Next, the

 

| stats <statscmd>(<evalcmd>(<stuff))

 

syntax can be hairy. Instead try:

 

index="my_index"
| eval outgoingCount = if(message.logType="Outgoing Response", 1, 0)
| stats count as total, count(outgoingCount) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try 

index="my_index" "Outgoing Response" | head 1

in verbose mode and look to see what fields have been extractedCapture.PNG 

0 Karma

hongbo_miao
Path Finder

Thanks @ITWhisperer this is running

index="my_index" "Outgoing Response" | head 1

in verbose mode.

message.logType does in the field list.

s.jpg

 

And if I run

index="my_index" | search message.logType="Outgoing Response"

It does return matched events.

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Hi @hongbo_miao 

As @thambisetty  suggested, try enclosing the field name with dot "." in single quotes (and adding a space after the "-" in the sort command)

 

index="my_index"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort - outgoingCount

 

 

0 Karma

hongbo_miao
Path Finder

Thanks, I replied under @thambisetty still not work...

0 Karma

to4kawa
Ultra Champion
index="my_index"
| stats count as total, sum(eval(if('message.logType'="Outgoing Response",1,0))) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount
0 Karma

hongbo_miao
Path Finder

Thanks @to4kawa still zero...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Rather than blurred screenshots, please can you share a raw event or two in a code block, anonymising the data appropriately because there seems to be something that we are all missing which might become clearer if we could see the raw data?

0 Karma

hongbo_miao
Path Finder

Oh I just got some help internally, I posted the working way.

Really really appreciate for the help @ITWhisperer !

(BTW, I think you might be right about the raw data is not that formatted, although when I check they seem just json / object)

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Can you try enclosing message.logType in single quotes?

and also try running search by removing sort command at the end. I believe there should be space between - and field name.

————————————
If this helps, give a like below.
0 Karma

hongbo_miao
Path Finder

Thanks @thambisetty but not work.

0 Karma

thambisetty
SplunkTrust
SplunkTrust
index="my_index"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount
————————————
If this helps, give a like below.
0 Karma

hongbo_miao
Path Finder

I tried, but still no luck...

hongbo_miao_0-1600716875811.png

 

0 Karma

Nisha18789
Builder

Hi @hongbo_miao , could you please check if you are running your search in fast mode? If yes, try running in verbose mode and see if you get the results.

Tags (1)
0 Karma

hongbo_miao
Path Finder

Thanks @Nisha18789 no, still not work in verbose mode...

0 Karma

Nisha18789
Builder

Hi @hongbo_miao , can you try running below query once, and see you get any results ?

 

index="my_index"
| search message.logType="Outgoing Response"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount

0 Karma

hongbo_miao
Path Finder

This does not work for me too, but I got some help internally, I posted the answer!

Still thanks for help @Nisha18789 !

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...