Re: Percentage of Total of an event within a sub-a...

brajaram · ‎02-08-2018

Our data is structured into a JSON format, with data structured as follows:

{
      IdentifyingDetailsofUserAndCall
      ErrorCodes:[
                 {
                   "code":"Code"
                   "Message":"Message"
                  }
                  ]

}

I'm able to pull out the error code properly from this array. However, if no error code is printed, the entire array is null, as opposed to a null value in the array. As a result, I can't use a TOP function to get the percentage breakdown.

Is there a way to store the overall count of events as a value that propogates throughout my search? The search looks like the following

index=... sourcetype=... morefiltering  | top "ErrorCodes.code"

I want to do a stats command within an eval to be able to store the overall count and then use that with the further evals to generate the total percentage of error codes. Is that possible to do, or is there a better way?

493669 · ‎02-08-2018

Try this:

index=... sourcetype=... morefiltering |fillnull  | top "ErrorCodes.code"

it will make null values filled with zeros

brajaram · ‎02-08-2018

The problem is that there are no actual null values returned, because it is technically two different fields.

The first field is ErrorCodes , which only has a possible value of null

The second field is ErrorCodes{}.code which has all the possible codes as values.

If I do | Top ErrorCodes{}.code , it ignores events with ErrorCodes=Null , and only looks at events where ErrorCodes{}.code has a value.

If I do | Top ErrorCodes it does the same thing, except for ErrorCodes{}.code it ignores

If I do | table ErrorCodes{}.code it shows completely blank values for events with a null value for ErrorCodes . If there is a way to turn blank values in this table into a null value, then I can use the fillnull command to get the appropriate stats.

493669 · ‎02-08-2018

try something like:

eval field1=if('field1'=="",null(),'field1')

brajaram · ‎02-12-2018

Unfortunately that doesn't work. It doesn't register that the field has a value of "", the field itself doesn't exist.

493669 · ‎02-12-2018

have you tried to replaced your fieldname in place of field1....

elliotproebstel · ‎02-08-2018

Try adding fillnull value="" ErrorCode.code before your top command. That way, the events without that value will get populated with an empty string for the field, allowing them to be counted in the percentage calculations for top.

brajaram · ‎02-08-2018

Unfortunately that doesn't work. I think it might have to do with the fact it is treated as two different events.

If the array is null, it is treated as ErrorCodes=Null. But if the array is populated, it is treated as ErrorCodes{}.code=VALUE . I want to find the total count of all events that contain either ErrorCodes=Null or ErrorCodes{}.code=VALUE. But then I want to get a break down of what the value could be.

If I do the search: initial search | table ErrorCodes{}.code then I get blank values in the table for where it doesn't exist, and the actual codes themselves. Is there a way I can use fillnull to make those blank values an actual value?

Percentage of Total of an event within a sub-array

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases