Our data is structured into a JSON format, with data structured as follows:
{
IdentifyingDetailsofUserAndCall
ErrorCodes:[
{
"code":"Code"
"Message":"Message"
}
]
}
I'm able to pull out the error code properly from this array. However, if no error code is printed, the entire array is null, as opposed to a null value in the array. As a result, I can't use a TOP function to get the percentage breakdown.
Is there a way to store the overall count of events as a value that propogates throughout my search? The search looks like the following
index=... sourcetype=... morefiltering | top "ErrorCodes.code"
I want to do a stats command within an eval to be able to store the overall count and then use that with the further evals to generate the total percentage of error codes. Is that possible to do, or is there a better way?
Try this:
index=... sourcetype=... morefiltering |fillnull | top "ErrorCodes.code"
it will make null values filled with zeros
The problem is that there are no actual null values returned, because it is technically two different fields.
The first field is ErrorCodes , which only has a possible value of null
The second field is ErrorCodes{}.code which has all the possible codes as values.
If I do | Top ErrorCodes{}.code
, it ignores events with ErrorCodes=Null , and only looks at events where ErrorCodes{}.code has a value.
If I do | Top ErrorCodes
it does the same thing, except for ErrorCodes{}.code it ignores
If I do | table ErrorCodes{}.code
it shows completely blank values for events with a null value for ErrorCodes . If there is a way to turn blank values in this table into a null value, then I can use the fillnull command to get the appropriate stats.
try something like:
eval field1=if('field1'=="",null(),'field1')
Unfortunately that doesn't work. It doesn't register that the field has a value of "", the field itself doesn't exist.
have you tried to replaced your fieldname in place of field1....
Try adding fillnull value="" ErrorCode.code
before your top
command. That way, the events without that value will get populated with an empty string for the field, allowing them to be counted in the percentage calculations for top
.
Unfortunately that doesn't work. I think it might have to do with the fact it is treated as two different events.
If the array is null, it is treated as ErrorCodes=Null. But if the array is populated, it is treated as ErrorCodes{}.code=VALUE . I want to find the total count of all events that contain either ErrorCodes=Null or ErrorCodes{}.code=VALUE. But then I want to get a break down of what the value could be.
If I do the search: initial search | table ErrorCodes{}.code
then I get blank values in the table for where it doesn't exist, and the actual codes themselves. Is there a way I can use fillnull to make those blank values an actual value?