- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to achieve stats by the existence of certain f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have three types of data entries.
{
<Irrelevant field omitted>
"parameters": [
{
"LicenseNumber": "123456"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
{
<Irrelevant field omitted>
"parameters": [
{
"Holder_Id": "654321"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
{
<Irrelevant field omitted>
"parameters": [
{
"Name": "John Doe"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
I want to get stats how many by the field parameter field type as in Name:69, Holder_Id:42, LicenseNumber:76.
I thought I'd use eval to create a field by the existence of each parameters, but that doesn't work.
<base_query> | eval group_name = case(isnotnull('parameters{}.Name'), Name, isnotnull('parameters{}.HolderId'), HolderId, isnotnull('parameters{}.LicenseNumber'), LicenseNumber) | stats count by group_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try the below?Just removed the single quote and added double quotation marks
<base_query>
| eval group_name = case(isnotnull(parameters{}.Name), "Name", isnotnull(parameters{}.Holder_Id), "Holder_Id", isnotnull(parameters{}.LicenseNumber), "LicenseNumber")
| stats count by group_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try the below?Just removed the single quote and added double quotation marks
<base_query>
| eval group_name = case(isnotnull(parameters{}.Name), "Name", isnotnull(parameters{}.Holder_Id), "Holder_Id", isnotnull(parameters{}.LicenseNumber), "LicenseNumber")
| stats count by group_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird, I'm sure I tried adding double quotes at some point to the eval fields. However, the isnotnull parameter has to be in single quote.
So the correct answer is,
| eval group_name = case(isnotnull('parameters{}.Name'), "Name", isnotnull('parameters{}.HolderId'), "HolderId", isnotnull('parameters{}.LicenseNumber'), "LicenseNumber") | stats count by group_name
Thanks for you help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Arishtat,
simplify field names befor an eval command:
| rename 'parameters{}.Name' AS Name 'parameters{}.HolderId' AS HolderId 'parameters{}.LicenseNumber' AS LicenseNumber
| eval group_name = case(isnotnull(Name), Name, isnotnull(HolderId), HolderId, isnotnull(LicenseNumber), LicenseNumber)
| stats count by group_nameBut anyway, if you only want a count of occurrences of each group_name, you could simply use
| stats count by group_nameCiao.
Giuseppe
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
