Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not getting value in a new created field?

csharm21
Loves-to-Learn
‎01-07-2019 11:08 PM

Hi Team,

I am trying to create one SPL search and create a new field with the eval command, but I am not getting any value count on the newly created field.

Please find my query below.

index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1
| stats 
count(eval(errorResponse.ResponseCode=CCEABR)) as "CCEABR Count"
count(eval(errorResponse.ResponseCode=CCEAIT)) as "CCEAIT Count"
count(eval(errorResponse.ResponseCode=CCEAEE)) as "CCEAEE Count" 
count(eval(errorResponse.ResponseCode=AESCND)) as "AESCND Count" 
count(eval(errorResponse.ResponseCode=AESCEE)) as "AESCEE Count" 
count(eval(errorResponse.ResponseCode=AERCEE)) as "AERCEE Count" 
count(eval(errorResponse.ResponseCode=CPDNA)) as "CPDNA Count"
count(eval(errorResponse.ResponseCode=CPMNF)) as "CPMNF Count"
count(eval(errorResponse.ResponseCode=CPLOB)) as "CPLOB Count"
count(eval(isnull(errorResponse.TimeStamp))) as "Timeout Count"
count(eval(errorResponse.JsonResponse="" or isnull(errorResponse.JsonResponse))) as "Success/No Error Code Count"
by requestSpecificElements.clientID requestSpecificElements.locationID
| rename requestSpecificElements.clientID as "Client ID"
requestSpecificElements.locationID as "Location ID
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-08-2019 12:05 AM

@csharm21 add single quote for your field name inside eval expression as there is dot ( . ) special character in the field name. Try replacing stats pipe with the following ans confirm!

| stats 
count(eval('errorResponse.ResponseCode'=="CCEABR")) as "CCEABR Count"
count(eval('errorResponse.ResponseCode'=="CCEAIT")) as "CCEAIT Count"
count(eval('errorResponse.ResponseCode'=="CCEAEE")) as "CCEAEE Count" 
count(eval('errorResponse.ResponseCode'=="AESCND")) as "AESCND Count" 
count(eval('errorResponse.ResponseCode'=="AESCEE")) as "AESCEE Count" 
count(eval('errorResponse.ResponseCode'=="AERCEE")) as "AERCEE Count" 
count(eval('errorResponse.ResponseCode'=="CPDNA")) as "CPDNA Count"
count(eval('errorResponse.ResponseCode'=="CPMNF")) as "CPMNF Count"
count(eval('errorResponse.ResponseCode'=="CPLOB")) as "CPLOB Count"
count(eval(isnull('errorResponse.TimeStamp'))) as "Timeout Count"
count(eval('errorResponse.JsonResponse'=="" or isnull('errorResponse.JsonResponse'))) as "Success/No Error Code Count"
by "requestSpecificElements.clientID" "requestSpecificElements.locationID"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-08-2019 12:05 AM

@csharm21 add single quote for your field name inside eval expression as there is dot ( . ) special character in the field name. Try replacing stats pipe with the following ans confirm!

| stats 
count(eval('errorResponse.ResponseCode'=="CCEABR")) as "CCEABR Count"
count(eval('errorResponse.ResponseCode'=="CCEAIT")) as "CCEAIT Count"
count(eval('errorResponse.ResponseCode'=="CCEAEE")) as "CCEAEE Count" 
count(eval('errorResponse.ResponseCode'=="AESCND")) as "AESCND Count" 
count(eval('errorResponse.ResponseCode'=="AESCEE")) as "AESCEE Count" 
count(eval('errorResponse.ResponseCode'=="AERCEE")) as "AERCEE Count" 
count(eval('errorResponse.ResponseCode'=="CPDNA")) as "CPDNA Count"
count(eval('errorResponse.ResponseCode'=="CPMNF")) as "CPMNF Count"
count(eval('errorResponse.ResponseCode'=="CPLOB")) as "CPLOB Count"
count(eval(isnull('errorResponse.TimeStamp'))) as "Timeout Count"
count(eval('errorResponse.JsonResponse'=="" or isnull('errorResponse.JsonResponse'))) as "Success/No Error Code Count"
by "requestSpecificElements.clientID" "requestSpecificElements.locationID"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

csharm21
Loves-to-Learn
‎01-08-2019 01:32 AM

Thanks @niketnilay this worked for me.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-07-2019 11:36 PM

@csharm21

Can you please make sure below points?

1) Check whether all field available... Mainly those which are in by clause.
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 | table errorResponse.*
2) Try with Enclosing filed name value with quotes. like count(eval("errorResponse.ResponseCode"="CCEABR")) as "CCEABR Count" &
from requestSpecificElements.clientID to "requestSpecificElements.clientID"

0 Karma
Reply
Solved! Jump to solution

csharm21
Loves-to-Learn
‎01-07-2019 11:51 PM

Hi Kamlesh,

Even if i run
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 | stats count(eval("errorResponse.ResponseCode"="CCEABR")) as "CCEABR Count"

I get only 0 count

but if i use i get some output like below.
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 errorResponse.ResponseCode="*" |stats count by errorResponse.ResponseCode

errorResponse.ResponseCode count
CCEAIT 2
CPLOB 3
null 6

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...