Splunk will not automatically give a count or a percentage after search. You need to show the command you use to get those three values. This is why @ITWhisperer says you cannot find an answer with...
See more...
Splunk will not automatically give a count or a percentage after search. You need to show the command you use to get those three values. This is why @ITWhisperer says you cannot find an answer without context. This emulation shows what Splunk gets after raw search. | makeresults
| eval _raw = "{
\"@t\": \"2024-08-14T13:34:42.1718458Z\",
\"@mt\": \"{className}{methodName}{transactionId}{logLevel}@{LogController_LogMetricsAsync_request}\",
\"className\": \"D:\\\\CW\\\\uploader\\\\Service\\\\LogController.cs_152\",
\"methodName\": \"LogMetricsAsync\",
\"transactionId\": \"d8e8e141-e9fc749abb0f\",
\"logLevel\": \"Information\",
\"LogController_LogMetricsAsync_request\": {
\"action\": \"Device\",
\"event\": \"Info\",
\"loggerData\": [
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"PlaybackAd\",
\"adType\": \"Midpoints\",
\"content\": \"Episode\",
\"adId\": \"676697\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"PlaybackAd\",
\"adType\": \"Third Quartiles\",
\"content\": \"Episode\",
\"adId\": \"676697\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"PlaybackAd\",
\"adType\": \"Completes\",
\"adId\": \"676697\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"adType\": \"Midpoints\",
\"content\": \"Episode\",
\"adId\": \"CODE791\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"adType\": \"Third Quartiles\",
\"content\": \"Episode\",
\"adId\": \"CODE791\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"adType\": \"Completes\",
\"content\": \"Episode\",
\"adId\": \"CODE791\"
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"act\": \"NetworkBalance\",
\"data\": {
\"connectionType\": \"Wi-Fi\",
\"routerInfo\": \"ARRIS\"
}
},
{
\"schema\": \"1.0\",
\"bv\": \"1.3.41\",
\"dt\": \"CS\",
\"adType\": \"Start\",
\"content\": \"Episode\",
\"adId\": \"635897\"
}
]
}
}"
| spath
``` data emulation above ```
| table LogController_LogMetricsAsync_request.loggerData{}.adType The table I get is LogController_LogMetricsAsync_request.loggerData{}.adType Midpoints Third Quartiles Completes Midpoints Third Quartiles Completes Start There are seven values in this array. Play with this emulation and plug subsequent search commands and find out what's wrong in those. Or post your search to get volunteers to help. Side note: Python, for one, will not accept \\ in JSON. Technically this is invalid in JSON document, but somehow Splunk takes it.