topic Help extracting a field from raw data and generating a count in Splunk Search https://community.splunk.com/t5/Splunk-Search/Help-extracting-a-field-from-raw-data-and-generating-a-count/m-p/367931#M108463 <P>For a simple query -</P> <P>index=app_au ms.ab=true</P> <P>I have a raw output of - </P> <PRE><CODE>{"dtm":"2017-09-27 10:44:42.389 PDT", "logger":"audit.com.foo.store.RequestAuditLog", "app":{"p":8523,"a":"WebNav","e":"prod.live.txn","h":"rn2-rosp-pr02-lweb04.fno.foo.com","dc":"fno"}, "msg":{"ab":true,"forwApp":"entry","resTime":12,"dx":1,"mc":{"s":"consumer","gp":"ww.emea.de","gc":"DEU"},"reqHost":"secure.foo.com","resStatus":"503","forwUrl":"urls-entry.loginJSON","d":"0ef7e2b2-f0f2-4a3e-9098-6812d9546b1b","ip":"92.211.19.113","reqPat":"///login/sign_in","reqApp":"entry","r":"c461b663-7102-4431-a0fc-fff7c472b748","t":1506534282377,"sampleWeight":1.0,"reqUrl":"urls-entry.loginJSON"}} </CODE></PRE> <P>I need to extract the ip field and get a list of IP with counts.<BR /> Please help.</P> <P>thanks,<BR /> Vik</P> Wed, 27 Sep 2017 21:04:24 GMT vik78 2017-09-27T21:04:24Z Help extracting a field from raw data and generating a count https://community.splunk.com/t5/Splunk-Search/Help-extracting-a-field-from-raw-data-and-generating-a-count/m-p/367931#M108463 <P>For a simple query -</P> <P>index=app_au ms.ab=true</P> <P>I have a raw output of - </P> <PRE><CODE>{"dtm":"2017-09-27 10:44:42.389 PDT", "logger":"audit.com.foo.store.RequestAuditLog", "app":{"p":8523,"a":"WebNav","e":"prod.live.txn","h":"rn2-rosp-pr02-lweb04.fno.foo.com","dc":"fno"}, "msg":{"ab":true,"forwApp":"entry","resTime":12,"dx":1,"mc":{"s":"consumer","gp":"ww.emea.de","gc":"DEU"},"reqHost":"secure.foo.com","resStatus":"503","forwUrl":"urls-entry.loginJSON","d":"0ef7e2b2-f0f2-4a3e-9098-6812d9546b1b","ip":"92.211.19.113","reqPat":"///login/sign_in","reqApp":"entry","r":"c461b663-7102-4431-a0fc-fff7c472b748","t":1506534282377,"sampleWeight":1.0,"reqUrl":"urls-entry.loginJSON"}} </CODE></PRE> <P>I need to extract the ip field and get a list of IP with counts.<BR /> Please help.</P> <P>thanks,<BR /> Vik</P> Wed, 27 Sep 2017 21:04:24 GMT https://community.splunk.com/t5/Splunk-Search/Help-extracting-a-field-from-raw-data-and-generating-a-count/m-p/367931#M108463 vik78 2017-09-27T21:04:24Z Re: Help extracting a field from raw data and generating a count https://community.splunk.com/t5/Splunk-Search/Help-extracting-a-field-from-raw-data-and-generating-a-count/m-p/367932#M108464 <P>Try this run-anywhere sample ...</P> <PRE><CODE>| makeresults | eval _raw= "{\"dtm\":\"2017-09-27 10:44:42.389 PDT\", \"logger\":\"audit.com.foo.store.RequestAuditLog\", \"app\":{\"p\":8523,\"a\":\"WebNav\",\"e\":\"prod.live.txn\",\"h\":\"rn2-rosp-pr02-lweb04.fno.foo.com\",\"dc\":\"fno\"}, \"msg\":{\"ab\":true,\"forwApp\":\"entry\",\"resTime\":12,\"dx\":1,\"mc\":{\"s\":\"consumer\",\"gp\":\"ww.emea.de\",\"gc\":\"DEU\"},\"reqHost\":\"secure.foo.com\",\"resStatus\":\"503\",\"forwUrl\":\"urls-entry.loginJSON\",\"d\":\"0ef7e2b2-f0f2-4a3e-9098-6812d9546b1b\",\"ip\":\"92.211.19.113\",\"reqPat\":\"///login/sign_in\",\"reqApp\":\"entry\",\"r\":\"c461b663-7102-4431-a0fc-fff7c472b748\",\"t\":1506534282377,\"sampleWeight\":1.0,\"reqUrl\":\"urls-entry.loginJSON\"}}" | rename COMMENT as "The above just enters your test data" | rename COMMENT as "NOw we read the JSON, rename the ip field, and count them up" | spath | rename msg.ip as ip | stats count as ipcount by ip </CODE></PRE> Thu, 28 Sep 2017 00:20:32 GMT https://community.splunk.com/t5/Splunk-Search/Help-extracting-a-field-from-raw-data-and-generating-a-count/m-p/367932#M108464 DalJeanis 2017-09-28T00:20:32Z