Splunk Search

Percentage of Total of an event within a sub-array

brajaram
Communicator

Our data is structured into a JSON format, with data structured as follows:

{
      IdentifyingDetailsofUserAndCall
      ErrorCodes:[
                 {
                   "code":"Code"
                   "Message":"Message"
                  }
                  ]

}

I'm able to pull out the error code properly from this array. However, if no error code is printed, the entire array is null, as opposed to a null value in the array. As a result, I can't use a TOP function to get the percentage breakdown.

Is there a way to store the overall count of events as a value that propogates throughout my search? The search looks like the following

index=... sourcetype=... morefiltering  | top "ErrorCodes.code" 

I want to do a stats command within an eval to be able to store the overall count and then use that with the further evals to generate the total percentage of error codes. Is that possible to do, or is there a better way?

0 Karma

493669
Super Champion

Try this:

index=... sourcetype=... morefiltering |fillnull  | top "ErrorCodes.code"

it will make null values filled with zeros

0 Karma

brajaram
Communicator

The problem is that there are no actual null values returned, because it is technically two different fields.

The first field is ErrorCodes , which only has a possible value of null

The second field is ErrorCodes{}.code which has all the possible codes as values.

If I do | Top ErrorCodes{}.code , it ignores events with ErrorCodes=Null , and only looks at events where ErrorCodes{}.code has a value.

If I do | Top ErrorCodes it does the same thing, except for ErrorCodes{}.code it ignores

If I do | table ErrorCodes{}.code it shows completely blank values for events with a null value for ErrorCodes . If there is a way to turn blank values in this table into a null value, then I can use the fillnull command to get the appropriate stats.

0 Karma

493669
Super Champion

try something like:

eval field1=if('field1'=="",null(),'field1')
0 Karma

brajaram
Communicator

Unfortunately that doesn't work. It doesn't register that the field has a value of "", the field itself doesn't exist.

0 Karma

493669
Super Champion

have you tried to replaced your fieldname in place of field1....

0 Karma

elliotproebstel
Champion

Try adding fillnull value="" ErrorCode.code before your top command. That way, the events without that value will get populated with an empty string for the field, allowing them to be counted in the percentage calculations for top.

0 Karma

brajaram
Communicator

Unfortunately that doesn't work. I think it might have to do with the fact it is treated as two different events.

If the array is null, it is treated as ErrorCodes=Null. But if the array is populated, it is treated as ErrorCodes{}.code=VALUE . I want to find the total count of all events that contain either ErrorCodes=Null or ErrorCodes{}.code=VALUE. But then I want to get a break down of what the value could be.

If I do the search: initial search | table ErrorCodes{}.code then I get blank values in the table for where it doesn't exist, and the actual codes themselves. Is there a way I can use fillnull to make those blank values an actual value?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...