Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does stats count(eval always returns zero when partial non-existant values exist?

ChadW
Explorer
‎12-02-2022 07:59 AM

My query:

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count as total, count(eval(connectError==true)) as errors

If I run this, "errors" always returns 0. However, if I run

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value=false connectError | dedup visitId | stats count by connectError

connectError properly returns the set of values in each bucket of connectError.

My dataset will sometimes contain the object "details.error". I tried fillnull to resolve this but that didn't work.

If I look at the Events data for the first or second query, I do see "connectError" in the "Interesting Fields" list on the left hand side.

How do I get the first query to work whereby I can get errors and total errors? I want to follow it up with |eval percentErrors=errors/total but I first need to get the stats to work properly.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2022 08:53 AM

The count eval is comparing to a non-existent field called 'true' not to the string "true" so it never matches, hence the count of zero - try it this way

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value="false" connectError | dedup visitId | stats count as total, count(eval(connectError=="true")) as errors

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2022 08:53 AM

The count eval is comparing to a non-existent field called 'true' not to the string "true" so it never matches, hence the count of zero - try it this way

index=primary eventType=ConnectionTest msg="network check results" | spath output=connectError details.error.connectionError | fillnull value="false" connectError | dedup visitId | stats count as total, count(eval(connectError=="true")) as errors
Reply
Solved! Jump to solution

ChadW
Explorer
‎12-02-2022 12:02 PM

One disparate question around something I never understood. Why do I need to create an spath for this to work? In other words, instead of

count(eval(connectError=="true"))

why can't I just do

count(eval(details.error.connectionError=="true"))

0 Karma
Reply
Solved! Jump to solution

ChadW
Explorer
‎12-02-2022 11:59 AM

That did it! Thank you. I thought I tried that before but guess not.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...