Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the stats for variable with a certain value ?

aasiaa
Path Finder
‎08-18-2023 07:54 AM

Hi, 

I am building alert in Splunk. I have a log with 6 different variables, but I am actually interested only in 4 of them (A, B, C and D). Those variables usually have a value which is a number like 50 but it can also be 'unknown'

this is a log sample
event{ 

      responseStatus: 200,
       calculationBreakdown: {
         evaluation: { 
           A: unknown
           Bunknown
           C: unknown
           Dunknown
           E50
           Funknown
           }
      }

}

I am trying to do the stats for number of 'unknown' values for each variable and total calls; Then I can calculate percentage of 'unknown' for each which is treated as error and then fire my alert based on those stats

So I tried simple query:

index=someIndex app=someApp event.responseStatus=200 
| stats count as total,  sum(eval(if('event.calculationBreakdown.evaluation.A'==unknown, 1, 0))) as total_errors_for_A

wanted to do the same for errors for B, C and D, but this does not work at all, it just calculates total for all the requests but 0 for errors_A and I know there are some A =. unknown in the stats so it should be counted; 

when I change sum to count it shows the same number in both columns for total and for total_errors_for_A

I also tried different quotes for 'event.calculationBreakdown.evaluation.A' and unknown, single / double / no quotes

also added spath 'event.calculationBreakdown.evaluation.A' before | stats but that does not change anything

Is anyone able to help? I am pretty sure it is something super simple, but my mind goes blank 😞

thanks a million

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 08:44 AM 
| stats count as total, sum(eval(if('event.calculationBreakdown.evaluation.A'=="unknown", 1, 0))) as total_errors_for_A, sum(eval(if('event.calculationBreakdown.evaluation.B'=="unknown", 1, 0))) as total_errors_for_B, sum(eval(if('event.calculationBreakdown.evaluation.C'=="unknown", 1, 0))) as total_errors_for_C, sum(eval(if('event.calculationBreakdown.evaluation.D'=="unknown", 1, 0))) as total_errors_for_D

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 08:44 AM 
| stats count as total, sum(eval(if('event.calculationBreakdown.evaluation.A'=="unknown", 1, 0))) as total_errors_for_A, sum(eval(if('event.calculationBreakdown.evaluation.B'=="unknown", 1, 0))) as total_errors_for_B, sum(eval(if('event.calculationBreakdown.evaluation.C'=="unknown", 1, 0))) as total_errors_for_C, sum(eval(if('event.calculationBreakdown.evaluation.D'=="unknown", 1, 0))) as total_errors_for_D
Reply
Solved! Jump to solution

aasiaa
Path Finder
‎08-18-2023 09:08 AM

@ITWhisperer thank you so much, I was sure I used all the combination of quotes, but surely I missed to try single for field and double for value. Thank you so much, it works 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top