Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does stats count(eval always returns zero when partial non-existant values exist?

ChadW
Explorer
‎12-02-2022 07:59 AM

My query:

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count as total, count(eval(connectError==true)) as errors

If I run this, "errors" always returns 0. However, if I run

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count by connectError

connectError properly returns the set of values in each bucket of connectError.

My dataset will sometimes contain the object "details.error". I tried fillnull to resolve this but that didn't work.

If I look at the Events data for the first or second query, I do see "connectError" in the "Interesting Fields" list on the left hand side.

How do I get the first query to work whereby I can get errors and total errors? I want to follow it up with |eval percentErrors=errors/total but I first need to get the stats to work properly.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2022 08:53 AM

The count eval is comparing to a non-existent field called 'true' not to the string "true" so it never matches, hence the count of zero - try it this way

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value="false" connectError | dedup visitId | stats count as total, count(eval(connectError=="true")) as errors

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2022 08:53 AM

The count eval is comparing to a non-existent field called 'true' not to the string "true" so it never matches, hence the count of zero - try it this way

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value="false" connectError | dedup visitId | stats count as total, count(eval(connectError=="true")) as errors
Reply
Solved! Jump to solution

ChadW
Explorer
‎12-02-2022 12:02 PM

One disparate question around something I never understood. Why do I need to create an spath for this to work? In other words, instead of

count(eval(connectError=="true"))

why can't I just do

count(eval(details.error.connectionError=="true"))

0 Karma
Reply
Solved! Jump to solution

ChadW
Explorer
‎12-02-2022 11:59 AM

That did it! Thank you. I thought I tried that before but guess not.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...