Hi, 

I am building alert in Splunk. I have a log with 6 different variables, but I am actually interested only in 4 of them (A, B, C and D). Those variables usually have a value which is a number like 50 but it can also be 'unknown'

this is a log sample
event: { 

      responseStatus: 200,
       calculationBreakdown: {
         evaluation: { 
           A: unknown
           B: unknown
           C: unknown
           D: unknown
           E: 50
           F: unknown
           }
      }

}

I am trying to do the stats for number of 'unknown' values for each variable and total calls; Then I can calculate percentage of 'unknown' for each which is treated as error and then fire my alert based on those stats

So I tried simple query:

index=someIndex app=someApp event.responseStatus=200 
| stats count as total,  sum(eval(if('event.calculationBreakdown.evaluation.A'==unknown, 1, 0))) as total_errors_for_A

wanted to do the same for errors for B, C and D, but this does not work at all, it just calculates total for all the requests but 0 for errors_A and I know there are some A =. unknown in the stats so it should be counted; 

when I change sum to count it shows the same number in both columns for total and for total_errors_for_A

I also tried different quotes for 'event.calculationBreakdown.evaluation.A' and unknown, single / double / no quotes

also added spath 'event.calculationBreakdown.evaluation.A' before | stats but that does not change anything

Is anyone able to help? I am pretty sure it is something super simple, but my mind goes blank 😞

thanks a million