Solved: Re: Stats by the existence of certain fields

Arishtat · ‎05-11-2023

I have three types of data entries.

{
<Irrelevant field omitted>
"parameters": [
{
"LicenseNumber": "123456"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}

{
<Irrelevant field omitted>
"parameters": [
{
"Holder_Id": "654321"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}

{
<Irrelevant field omitted>
"parameters": [
{
"Name": "John Doe"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}

I want to get stats how many by the field parameter field type as in Name:69, Holder_Id:42, LicenseNumber:76.

I thought I'd use eval to create a field by the existence of each parameters, but that doesn't work.

<base_query> | eval group_name = case(isnotnull('parameters{}.Name'), Name, isnotnull('parameters{}.HolderId'), HolderId, isnotnull('parameters{}.LicenseNumber'), LicenseNumber) | stats count by group_name

TrangCIC81 · ‎05-11-2023

Can you try the below?Just removed the single quote and added double quotation marks

<base_query> 
| eval group_name = case(isnotnull(parameters{}.Name), "Name", isnotnull(parameters{}.Holder_Id), "Holder_Id", isnotnull(parameters{}.LicenseNumber), "LicenseNumber") 
| stats count by group_name

View solution in original post

TrangCIC81 · ‎05-11-2023

Can you try the below?Just removed the single quote and added double quotation marks

<base_query> 
| eval group_name = case(isnotnull(parameters{}.Name), "Name", isnotnull(parameters{}.Holder_Id), "Holder_Id", isnotnull(parameters{}.LicenseNumber), "LicenseNumber") 
| stats count by group_name

Arishtat · ‎05-11-2023

Weird, I'm sure I tried adding double quotes at some point to the eval fields. However, the isnotnull parameter has to be in single quote.

So the correct answer is,

| eval group_name = case(isnotnull('parameters{}.Name'), "Name", isnotnull('parameters{}.HolderId'), "HolderId", isnotnull('parameters{}.LicenseNumber'), "LicenseNumber") | stats count by group_name

Thanks for you help.

gcusello · ‎05-11-2023

Hi @Arishtat,

simplify field names befor an eval command:

| rename 'parameters{}.Name' AS Name 'parameters{}.HolderId' AS HolderId 'parameters{}.LicenseNumber' AS LicenseNumber
| eval group_name = case(isnotnull(Name), Name, isnotnull(HolderId), HolderId, isnotnull(LicenseNumber), LicenseNumber) 
| stats count by group_name

But anyway, if you only want a count of occurrences of each group_name, you could simply use

| stats count by group_name

Ciao.

Giuseppe

How to achieve stats by the existence of certain fields?

eval

stats

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?