https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177621#M35587 <P>It seems to me as if <CODE>spath</CODE> is confused by single quotes in the JSON. Take a look at this:</P> <PRE><CODE>| stats count | fields - count | eval _raw = "07/03/2014 11:55:05 Debug [b9d94320-2915-4bbc-a96f-98fa125c4e27] [IC3QOE11OAB5318640POGM14VSURV5] Wallet3DSecureSetResult started with Result[{'paressyntaxok':'true','paresverified':'false','version':'2.0','merchantid':'455665864697','xid':'MDAwMDAwMDBPREhMMDUzNDc3NzE=','mdstatus':'1','mderrormsg':'Authenticated','txstatus':'Y','ireqcode':'','ireqdetail':'','vendorcode':'','eci':'02','cavv':'jOm+n8MEwOyKAREABwMDh/QP5n4=','cavvalgorithm':'3','md':'123,123','digest':'U2eto4Un1nUa3jdOlRuzQk59ERY=','sid':'2','veresenrolledstatus':'Y','parestxstatus':'Y','status':'ok','requestpage':'api_deposit.aspx'}] MPIKey[borgun]" | rex "Result\[(?&lt;result&gt;.*?)\]" | eval result=replace(result, "'", "\"") | spath input=result | fields merchantid mdstatus | fields - _raw </CODE></PRE> <P>This gives me your two interesting fields perfectly, but only after replacing the single quotes with double quotes.</P> <P>According to <A href="http://www.json.org/">http://www.json.org/</A> double quotes are the only valid way of enclosing strings in JSON. Consider fixing your source to output valid JSON.</P> <P><IMG src="http://www.json.org/string.gif" alt="alt text" /></P> Fri, 07 Mar 2014 14:36:51 GMT martin_mueller 2014-03-07T14:36:51Z https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177620#M35586 <P>Hi,</P> <P>I've been struggling with spath attempts for this for a day or two, so reaching out for help! I have the following detail within an event:</P> <PRE><CODE>07/03/2014 11:55:05 Debug [b9d94320-2915-4bbc-a96f-98fa125c4e27] [IC3QOE11OAB5318640POGM14VSURV5] Wallet3DSecureSetResult started with Result[{'paressyntaxok':'true','paresverified':'false','version':'2.0','merchantid':'455665864697','xid':'MDAwMDAwMDBPREhMMDUzNDc3NzE=','mdstatus':'1','mderrormsg':'Authenticated','txstatus':'Y','ireqcode':'','ireqdetail':'','vendorcode':'','eci':'02','cavv':'jOm+n8MEwOyKAREABwMDh/QP5n4=','cavvalgorithm':'3','md':'123,123','digest':'U2eto4Un1nUa3jdOlRuzQk59ERY=','sid':'2','veresenrolledstatus':'Y','parestxstatus':'Y','status':'ok','requestpage':'api_deposit.aspx'}] MPIKey[borgun] </CODE></PRE> <P>The detail I'm interested in is 'merchantid' and 'mdstatus'. </P> <P>mdstatus can be a value between 0 and 8 - I want to be able to analyse per merchantid the count of each mdstatus.</P> <P>Any help appreciated!</P> <P>Cheers,<BR /> Luke</P> Fri, 07 Mar 2014 12:06:30 GMT https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177620#M35586 luke_vamasoft 2014-03-07T12:06:30Z https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177621#M35587 <P>It seems to me as if <CODE>spath</CODE> is confused by single quotes in the JSON. Take a look at this:</P> <PRE><CODE>| stats count | fields - count | eval _raw = "07/03/2014 11:55:05 Debug [b9d94320-2915-4bbc-a96f-98fa125c4e27] [IC3QOE11OAB5318640POGM14VSURV5] Wallet3DSecureSetResult started with Result[{'paressyntaxok':'true','paresverified':'false','version':'2.0','merchantid':'455665864697','xid':'MDAwMDAwMDBPREhMMDUzNDc3NzE=','mdstatus':'1','mderrormsg':'Authenticated','txstatus':'Y','ireqcode':'','ireqdetail':'','vendorcode':'','eci':'02','cavv':'jOm+n8MEwOyKAREABwMDh/QP5n4=','cavvalgorithm':'3','md':'123,123','digest':'U2eto4Un1nUa3jdOlRuzQk59ERY=','sid':'2','veresenrolledstatus':'Y','parestxstatus':'Y','status':'ok','requestpage':'api_deposit.aspx'}] MPIKey[borgun]" | rex "Result\[(?&lt;result&gt;.*?)\]" | eval result=replace(result, "'", "\"") | spath input=result | fields merchantid mdstatus | fields - _raw </CODE></PRE> <P>This gives me your two interesting fields perfectly, but only after replacing the single quotes with double quotes.</P> <P>According to <A href="http://www.json.org/">http://www.json.org/</A> double quotes are the only valid way of enclosing strings in JSON. Consider fixing your source to output valid JSON.</P> <P><IMG src="http://www.json.org/string.gif" alt="alt text" /></P> Fri, 07 Mar 2014 14:36:51 GMT https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177621#M35587 martin_mueller 2014-03-07T14:36:51Z https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177622#M35588 <P>Thank you Martin - I can enjoy my weekend now!!!</P> Fri, 07 Mar 2014 14:55:43 GMT https://community.splunk.com/t5/Getting-Data-In/stats-query-on-JSON-data/m-p/177622#M35588 luke_vamasoft 2014-03-07T14:55:43Z