Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the stats for variable with a certain value ?

aasiaa
Path Finder
‎08-18-2023 07:54 AM

Hi, 

I am building alert in Splunk. I have a log with 6 different variables, but I am actually interested only in 4 of them (A, B, C and D). Those variables usually have a value which is a number like 50 but it can also be 'unknown'

this is a log sample
event{ 

      responseStatus: 200,
       calculationBreakdown: {
         evaluation: { 
           A: unknown
           Bunknown
           C: unknown
           Dunknown
           E50
           Funknown
           }
      }

}

I am trying to do the stats for number of 'unknown' values for each variable and total calls; Then I can calculate percentage of 'unknown' for each which is treated as error and then fire my alert based on those stats

So I tried simple query:

index=someIndex app=someApp event.responseStatus=200 
| stats count as total,  sum(eval(if('event.calculationBreakdown.evaluation.A'==unknown, 1, 0))) as total_errors_for_A

wanted to do the same for errors for B, C and D, but this does not work at all, it just calculates total for all the requests but 0 for errors_A and I know there are some A =. unknown in the stats so it should be counted; 

when I change sum to count it shows the same number in both columns for total and for total_errors_for_A

I also tried different quotes for 'event.calculationBreakdown.evaluation.A' and unknown, single / double / no quotes

also added spath 'event.calculationBreakdown.evaluation.A' before | stats but that does not change anything

Is anyone able to help? I am pretty sure it is something super simple, but my mind goes blank 😞

thanks a million

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 08:44 AM 
| stats count as total, sum(eval(if('event.calculationBreakdown.evaluation.A'=="unknown", 1, 0))) as total_errors_for_A, sum(eval(if('event.calculationBreakdown.evaluation.B'=="unknown", 1, 0))) as total_errors_for_B, sum(eval(if('event.calculationBreakdown.evaluation.C'=="unknown", 1, 0))) as total_errors_for_C, sum(eval(if('event.calculationBreakdown.evaluation.D'=="unknown", 1, 0))) as total_errors_for_D

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 08:44 AM 
| stats count as total, sum(eval(if('event.calculationBreakdown.evaluation.A'=="unknown", 1, 0))) as total_errors_for_A, sum(eval(if('event.calculationBreakdown.evaluation.B'=="unknown", 1, 0))) as total_errors_for_B, sum(eval(if('event.calculationBreakdown.evaluation.C'=="unknown", 1, 0))) as total_errors_for_C, sum(eval(if('event.calculationBreakdown.evaluation.D'=="unknown", 1, 0))) as total_errors_for_D
Reply
Solved! Jump to solution

aasiaa
Path Finder
‎08-18-2023 09:08 AM

@ITWhisperer thank you so much, I was sure I used all the combination of quotes, but surely I missed to try single for field and double for value. Thank you so much, it works 

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top