Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Always got zero for count

hongbo_miao
Path Finder
‎09-18-2020 03:25 PM

I am trying to count the requests which `message.logType` is "Outgoing Response".

My query is like

 

index="my_index"
| stats count as total, count(eval(message.logType="Outgoing Response")) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

My logs are like, they do have `message.logType` field.

hongbo_miao_0-1600467638214.png

However, the outgoingCount column is always 0.

hongbo_miao_1-1600467744113.png

I read https://community.splunk.com/t5/Splunk-Search/stats-count-eval-always-returns-zero/m-p/334406

But does not help in my case.

Any idea? Thanks

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hongbo_miao
Path Finder
‎09-24-2020 10:23 AM

Got some help internally, and it finally works! Really appreciate! Here is the original copy:

---

First issue is that referencing json fields with . notation has some oddities.

The correct syntax would be

 

| stats count(eval('message.logType'="Outgoing Response")) as outgoingCount

 

Next, the

 

| stats <statscmd>(<evalcmd>(<stuff))

 

syntax can be hairy. Instead try:

 

index="my_index"
| eval outgoingCount = if(message.logType="Outgoing Response", 1, 0)
| stats count as total, count(outgoingCount) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hongbo_miao
Path Finder
‎09-24-2020 10:23 AM

Got some help internally, and it finally works! Really appreciate! Here is the original copy:

---

First issue is that referencing json fields with . notation has some oddities.

The correct syntax would be

 

| stats count(eval('message.logType'="Outgoing Response")) as outgoingCount

 

Next, the

 

| stats <statscmd>(<evalcmd>(<stuff))

 

syntax can be hairy. Instead try:

 

index="my_index"
| eval outgoingCount = if(message.logType="Outgoing Response", 1, 0)
| stats count as total, count(outgoingCount) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort -outgoingCount

 

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2020 06:59 AM

Try 

index="my_index" "Outgoing Response" | head 1

in verbose mode and look to see what fields have been extractedCapture.PNG 

0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-21-2020 06:44 AM

Thanks @ITWhisperer this is running

index="my_index" "Outgoing Response" | head 1

in verbose mode.

message.logType does in the field list.

s.jpg

 

And if I run

index="my_index" | search message.logType="Outgoing Response"

It does return matched events.

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-21-2020 06:54 AM

Hi @hongbo_miao 

As @thambisetty  suggested, try enclosing the field name with dot "." in single quotes (and adding a space after the "-" in the sort command)

 

index="my_index"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by log.request.url
| table log.request.url, total, outgoingCount
| sort - outgoingCount

 

 

0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-21-2020 12:35 PM

Thanks, I replied under @thambisetty still not work...

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎09-21-2020 02:55 PM 
index="my_index"
| stats count as total, sum(eval(if('message.logType'="Outgoing Response",1,0))) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount
0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-22-2020 12:03 PM

Thanks @to4kawa still zero...

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-22-2020 12:35 PM

Rather than blurred screenshots, please can you share a raw event or two in a code block, anonymising the data appropriately because there seems to be something that we are all missing which might become clearer if we could see the raw data?

0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-24-2020 10:36 AM

Oh I just got some help internally, I posted the working way.

Really really appreciate for the help @ITWhisperer !

(BTW, I think you might be right about the raw data is not that formatted, although when I check they seem just json / object)

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-18-2020 09:30 PM

Can you try enclosing message.logType in single quotes?

and also try running search by removing sort command at the end. I believe there should be space between - and field name.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-21-2020 07:07 AM

Thanks @thambisetty but not work.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-21-2020 07:20 AM 
index="my_index"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-21-2020 12:34 PM

I tried, but still no luck...

hongbo_miao_0-1600716875811.png

 

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎09-18-2020 03:37 PM

Hi @hongbo_miao , could you please check if you are running your search in fast mode? If yes, try running in verbose mode and see if you get the results.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-21-2020 07:08 AM

Thanks @Nisha18789 no, still not work in verbose mode...

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎09-22-2020 02:49 PM

Hi @hongbo_miao , can you try running below query once, and see you get any results ?

 

index="my_index"
| search message.logType="Outgoing Response"
| stats count as total, count(eval('message.logType'="Outgoing Response")) as outgoingCount by "log.request.url"
| table "log.request.url", total, outgoingCount
| sort - outgoingCount

0 Karma
Reply
Solved! Jump to solution

hongbo_miao
Path Finder
‎09-24-2020 10:28 AM

This does not work for me too, but I got some help internally, I posted the answer!

Still thanks for help @Nisha18789 !

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...