I have this query:
fields @timestamp, @message
| filter @message like /Endpoint request body after transformations:/
| parse @message '"failureReason":"*"' as UniqueFailureReasons
| stats count(UniqueFailureReasons) as OccurenceCount by UniqueFailureReasons
| display UniqueFailureReasons, OccurenceCount
This is trying to read the logs and find out unique failure reasons in the past X hours and the count of their occurrence. This gives the right output except it also includes a blank row as the very first row.
For e.g. in the last 1 hour, there are no failures , but this query would still give this output:
# UniqueFailureReasons OccurenceCount
1
Field Value
OccurenceCount
UniqueFailureReasons
What am i doing wrong here? I have checked the logs there are no logs with blank as failureReason.
Update: I added | filter ispresent(UniqueFailureReasons) and it removed the blank field from the result. I don't think this is the correct way of doing it. Can anyone help me understand why is this blank row coming in the first place.