https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375195#M110239 <P><CODE>index=index | spath input=errorMsg path={}.sym output=sym | spath input=errorMsg path={}.code output=code | stats count by sym, code</CODE></P> Wed, 05 Jul 2017 01:06:53 GMT exocore123 2017-07-05T01:06:53Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375193#M110237 <PRE><CODE>[ { "sym":"ee", "code":2E1, }, { "sym":"ie", "code":2E2, } ] </CODE></PRE> <P>I have a field call errorData, when I use <CODE>spath</CODE> to access the json and do <CODE>stats</CODE> and <CODE>mvzip(sym,code)</CODE> function, it splits these events into two different events (but it is still not really what I want). How can I keep it into one event with the contents aggregated. Sometimes the array also only has 1 element, so it should be viable for that situation too</P> <PRE><CODE>sym code count ee,ie 2E1,2E2 1 ee 2E2 1 </CODE></PRE> <P>And I do not want the json with single element array to over-count, I mean mistakenly count matching in the multiple elements json.</P> Fri, 30 Jun 2017 21:25:30 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375193#M110237 exocore123 2017-06-30T21:25:30Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375194#M110238 <P>Can you provide your current full search that you're using?</P> Mon, 03 Jul 2017 21:11:28 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375194#M110238 somesoni2 2017-07-03T21:11:28Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375195#M110239 <P><CODE>index=index | spath input=errorMsg path={}.sym output=sym | spath input=errorMsg path={}.code output=code | stats count by sym, code</CODE></P> Wed, 05 Jul 2017 01:06:53 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375195#M110239 exocore123 2017-07-05T01:06:53Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375196#M110240 <P>Or <CODE>eval msg=mvzip(sym, code) | stats count by msg</CODE> would get me two events listed instead of 4 like above</P> Wed, 05 Jul 2017 01:07:46 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375196#M110240 exocore123 2017-07-05T01:07:46Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375197#M110241 <P>Try this</P> <PRE><CODE>index=index | spath input=errorMsg path={}.sym output=sym | spath input=errorMsg path={}.code output=code | nomv sym | nomv code | stats count by sym code </CODE></PRE> Wed, 05 Jul 2017 16:51:18 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375197#M110241 somesoni2 2017-07-05T16:51:18Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375198#M110242 <P>Wow... that was so much easier than I thought, is there a way I can introduce a comma within the space? Using rex or makedelim or join maybe? </P> Wed, 05 Jul 2017 19:58:56 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375198#M110242 exocore123 2017-07-05T19:58:56Z https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375199#M110243 <P>You can do like this (assuming the value of sym and code do not contain spaces on their own.</P> <PRE><CODE>above search | eval sym=replace(sym," ",", ") | eval code=replace(code," ",", ") </CODE></PRE> Wed, 05 Jul 2017 21:44:08 GMT https://community.splunk.com/t5/Splunk-Search/mvzip-json-array-of-values-in-one-event/m-p/375199#M110243 somesoni2 2017-07-05T21:44:08Z