Solved: Get count of how how many of a field has a true va...

alakhotia · ‎10-18-2023

I have a response that looks like this:

{"meta":{"code":400},"flag1":false,"flag2":false,"flag3":true}

There are more than 3 flags, but this is an example.

Assuming that there is only one that is true in each response, I want to get a count of which flag is true the most times, in descending order.

yuanliu · ‎10-18-2023

You should not use foreach *. tag::event is a meta field and foreach will not handle those. It is quite obvious that your data also contain other irrelevant fields. If you know those tag names, enumerate it. (Read the document.)

| foreach flag1 flag2 flag3 ... flagX
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Alternatively, you probably do not care about other fields. Remove them so foreach will not be bombed.

| fields loggingObject.responseJson
| spath input=loggingObject.responseJson
| foreach *
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

View solution in original post

yuanliu · ‎10-18-2023

Something like

| foreach flag*
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

The wildcard expression will depend on actual field names. (Worst comes you iterate over non-flag fields; alternatively, you enumerate all possible flags.) See foreach.

alakhotia · ‎10-18-2023

Thanks. My response object is extracted to responseJson.

How do I iterate over any possible field name in responseJson? What am I doing wrong below?

| eval responseJson='loggingObject.responseJson'
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

yuanliu · ‎10-18-2023

Do you mean to say that Splunk gives you a field named 'loggingObject.responseJson' with that JSON object as value? In that case, you need to first extract from JSON with spath. (A newer alternative is fromjson.)

| spath input=loggingObject.responseJson
| foreach flag*
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Here is an emulation you can play with and compare with real data

| makeresults
| fields - _time
| eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true}"
``` data emulation above ```

alakhotia · ‎10-18-2023

Thanks.

When I hardcode data like you've done, and I add escape backslash quotes, it works.

| makeresults
| fields - _time

| eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true,\"flag3status\":\"3\",\"flag4\":false,\"flag5\":false,\"flag6\":false,\"flag7\":false, \"flag7reason\":\"xyz\"}"
| spath input=loggingObject.responseJson
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

When I use my real data results, I do get results, but also some splunk errors:

| eval responseJson='loggingObject.responseJson'
| spath input=responseJson
| foreach *
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Errors:

[shsplnkprnap008,shsplnkprnap009,shsplnkprnap010,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'tag::eventtype'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.className'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.value'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.user-agent'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.x-forwarded-for'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'Device-ID'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'valid-beacon-dept-count'
[shsplnkprnap009] Failed to parse templatized search for field 'steps{}'

I am able to do something like this without splunk errors;

| eval responseJson='loggingObject.responseJson'

| stats count by responseJson

yuanliu · ‎10-18-2023

You should not use foreach *. tag::event is a meta field and foreach will not handle those. It is quite obvious that your data also contain other irrelevant fields. If you know those tag names, enumerate it. (Read the document.)

| foreach flag1 flag2 flag3 ... flagX
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Alternatively, you probably do not care about other fields. Remove them so foreach will not be bombed.

| fields loggingObject.responseJson
| spath input=loggingObject.responseJson
| foreach *
    [eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag

Get count of how how many of a field has a true value.

count

field extraction

stats

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...