Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I not getting value in a new created fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I am trying to create one SPL search and create a new field with the eval command, but I am not getting any value count on the newly created field.
Please find my query below.
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1
| stats
count(eval(errorResponse.ResponseCode=CCEABR)) as "CCEABR Count"
count(eval(errorResponse.ResponseCode=CCEAIT)) as "CCEAIT Count"
count(eval(errorResponse.ResponseCode=CCEAEE)) as "CCEAEE Count"
count(eval(errorResponse.ResponseCode=AESCND)) as "AESCND Count"
count(eval(errorResponse.ResponseCode=AESCEE)) as "AESCEE Count"
count(eval(errorResponse.ResponseCode=AERCEE)) as "AERCEE Count"
count(eval(errorResponse.ResponseCode=CPDNA)) as "CPDNA Count"
count(eval(errorResponse.ResponseCode=CPMNF)) as "CPMNF Count"
count(eval(errorResponse.ResponseCode=CPLOB)) as "CPLOB Count"
count(eval(isnull(errorResponse.TimeStamp))) as "Timeout Count"
count(eval(errorResponse.JsonResponse="" or isnull(errorResponse.JsonResponse))) as "Success/No Error Code Count"
by requestSpecificElements.clientID requestSpecificElements.locationID
| rename requestSpecificElements.clientID as "Client ID"
requestSpecificElements.locationID as "Location ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@csharm21 add single quote for your field name inside eval expression as there is dot ( . ) special character in the field name. Try replacing stats pipe with the following ans confirm!
| stats
count(eval('errorResponse.ResponseCode'=="CCEABR")) as "CCEABR Count"
count(eval('errorResponse.ResponseCode'=="CCEAIT")) as "CCEAIT Count"
count(eval('errorResponse.ResponseCode'=="CCEAEE")) as "CCEAEE Count"
count(eval('errorResponse.ResponseCode'=="AESCND")) as "AESCND Count"
count(eval('errorResponse.ResponseCode'=="AESCEE")) as "AESCEE Count"
count(eval('errorResponse.ResponseCode'=="AERCEE")) as "AERCEE Count"
count(eval('errorResponse.ResponseCode'=="CPDNA")) as "CPDNA Count"
count(eval('errorResponse.ResponseCode'=="CPMNF")) as "CPMNF Count"
count(eval('errorResponse.ResponseCode'=="CPLOB")) as "CPLOB Count"
count(eval(isnull('errorResponse.TimeStamp'))) as "Timeout Count"
count(eval('errorResponse.JsonResponse'=="" or isnull('errorResponse.JsonResponse'))) as "Success/No Error Code Count"
by "requestSpecificElements.clientID" "requestSpecificElements.locationID"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@csharm21 add single quote for your field name inside eval expression as there is dot ( . ) special character in the field name. Try replacing stats pipe with the following ans confirm!
| stats
count(eval('errorResponse.ResponseCode'=="CCEABR")) as "CCEABR Count"
count(eval('errorResponse.ResponseCode'=="CCEAIT")) as "CCEAIT Count"
count(eval('errorResponse.ResponseCode'=="CCEAEE")) as "CCEAEE Count"
count(eval('errorResponse.ResponseCode'=="AESCND")) as "AESCND Count"
count(eval('errorResponse.ResponseCode'=="AESCEE")) as "AESCEE Count"
count(eval('errorResponse.ResponseCode'=="AERCEE")) as "AERCEE Count"
count(eval('errorResponse.ResponseCode'=="CPDNA")) as "CPDNA Count"
count(eval('errorResponse.ResponseCode'=="CPMNF")) as "CPMNF Count"
count(eval('errorResponse.ResponseCode'=="CPLOB")) as "CPLOB Count"
count(eval(isnull('errorResponse.TimeStamp'))) as "Timeout Count"
count(eval('errorResponse.JsonResponse'=="" or isnull('errorResponse.JsonResponse'))) as "Success/No Error Code Count"
by "requestSpecificElements.clientID" "requestSpecificElements.locationID"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @niketnilay this worked for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@csharm21
Can you please make sure below points?
1) Check whether all field available... Mainly those which are in by clause.
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 | table errorResponse.*
2) Try with Enclosing filed name value with quotes. like count(eval("errorResponse.ResponseCode"="CCEABR")) as "CCEABR Count" &
from requestSpecificElements.clientID to "requestSpecificElements.clientID"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kamlesh,
Even if i run
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 | stats count(eval("errorResponse.ResponseCode"="CCEABR")) as "CCEABR Count"
I get only 0 count
but if i use i get some output like below.
index=throwaway sourcetype=GIC-EMR-Wrapper-log_V1 errorResponse.ResponseCode="*" |stats count by errorResponse.ResponseCode
errorResponse.ResponseCode count
CCEAIT 2
CPLOB 3
null 6
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
