Splunk Search

How to count total empty object?

alakdam
Path Finder

I have a data where I got empty object. I would like count in total how many empty object in one table data and also make average on this empty object. 

PS: I am beginner level splunker and could not able to figure How Can I do average of empty object?

This was my failed attempt:

 

index::service sourcetype::service "order_tote_analytics" | spath "data.order_number" | search "data.order_number"=* |  spath path=data{}.actual_totes output=finalBox | eval countNull=if(finalBox == "{}", "this has value", "this is all null") | table finalBox countNull

 


Above search query return me this 👇🏾👇🏾
Screenshot 2022-10-05 at 15.33.20.png

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

please try something like this:

index::service sourcetype::service "order_tote_analytics" 
| spath "data.order_number" 
| search "data.order_number"=* 
|  spath path=data{}.actual_totes output=finalBox 
| eval countNull=if(finalBox == "{}", "this has value", "this is all null") 
| search RealData="{}"
| stats count

Ciao.

Giuseppe

View solution in original post

alakdam
Path Finder

Thank you very much. How can I make average of it

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

in this case you have to add the count all the events, something like this:

index::service sourcetype::service "order_tote_analytics" 
| spath "data.order_number" 
| search "data.order_number"=* 
|  spath path=data{}.actual_totes output=finalBox 
| eval countNull=if(finalBox == "{}", "this has value", "this is all null") 
| eventstats count AS total
| search RealData="{}"
| stats count values(total) AS total
| eval average=count/total*100

Ciao.

Giuseppe

alakdam
Path Finder

@gcusello Thank you very much.  I would love to publish that average value in one single panel. How would I do that.  I did like this 👇🏾👇🏾 but it does not show me average anymore 😔😔

  <panel>
      <single>
        <title>Average Actual Boxes with an empty value</title>
        <search>
          <query>index::service sourcetype::service "order_tote_analytics" | spath "data.order_number" | search "data.order_number"=$orderNumber$ 
| spath path=data{}.actual_totes output=RealData 
| eval countNull=if(RealData == "{}", "this has value", "this is all null") 
| eventstats count AS total
| search RealData="{}"
| stats count values(total) AS total
| eval average=count/total*100</query>
          <earliest>$chosenTimePeriod.earliest$</earliest>
          <latest>$chosenTimePeriod.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x53a051","0x53a051"]</option>
        <option name="rangeValues">[0,200]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

add

| table average

as last row of your search

Ciao.

Giuseppe

alakdam
Path Finder

Did not help 😔😔😔. Could please copy my panel example and show to me? Also I don't think we need condition. what do you say?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

please try this:

<panel>
      <single>
        <title>Average Actual Boxes with an empty value</title>
        <search>
          <query>index::service sourcetype::service "order_tote_analytics" | spath "data.order_number" | search "data.order_number"=$orderNumber$ 
| spath path=data{}.actual_totes output=RealData 
| eval countNull=if(RealData == "{}", "this has value", "this is all null") 
| eventstats count AS total
| search RealData="{}"
| stats count values(total) AS total
| eval average=count/total*100
| table average</query>
          <earliest>$chosenTimePeriod.earliest$</earliest>
          <latest>$chosenTimePeriod.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x53a051","0x53a051"]</option>
        <option name="rangeValues">[0,200]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>

Ciao.

Giuseppe

alakdam
Path Finder

You are legend. As it said in your profile. Thanks a bunch

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

I didn't give the definition, but anywaythanks for the compliment!

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

alakdam
Path Finder

I know I am asking a lot. Can you please help me with this Problem? I still don't understand splunk docs

Thank you 🙏🏾

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @alakdam,

please try something like this:

index::service sourcetype::service "order_tote_analytics" 
| spath "data.order_number" 
| search "data.order_number"=* 
|  spath path=data{}.actual_totes output=finalBox 
| eval countNull=if(finalBox == "{}", "this has value", "this is all null") 
| search RealData="{}"
| stats count

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...