https://community.splunk.com/t5/Splunk-Search/How-do-I-count-fields-inside-a-JSON-array/m-p/454244#M128528 <P>My co-worker finally got enough time to look at this for me. The solution is</P> <P>| spath threatsInfoMap{} output=threatsElements <BR /> | stats count(threatsElements) AS threatsElementsCount by _time</P> Fri, 22 Mar 2019 18:31:54 GMT jwhughes58 2019-03-22T18:31:54Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-fields-inside-a-JSON-array/m-p/454243#M128527 <P>Hi,</P> <P>I have this data</P> <PRE><CODE>{"quarantineFolder": null, "spamScore": 100, "threatsInfoMap": [{"campaignID": null, "threat": "http://weg-aus-dem-hamsterrad.de/r5romlp/verif.myacc.resourses.biz/", "threatUrl": "https://threatinsight.proofpoint.com/cac61cbd-474f-77be-4915-2f27623219e4/threat/email/38e20c3d0a5c30dae9cc53f0fb77099a536a879530d4ded89209eb68db8be620", "classification": "malware", "threatType": "url", "threatID": "38e20c3d0a5c30dae9cc53f0fb77099a536a879530d4ded89209eb68db8be620", "threatTime": "2019-03-21T19:36:06.000Z", "threatStatus": "active"}], "replyToAddress": [], "phishScore": 0, "eventType": "messagesBlocked", "toAddresses": [“xyzzy@company.com”], "policyRoutes": ["default_inbound", "Inbound"], "messageParts": [{"md5": "4e12ab62f710e02270e02fdfad9a1817", "oContentType": "text/plain", "contentType": "text/plain", "disposition": "inline", "sha256": "d97d9261a6f0795bec34f055b997b01ec5f02b71f28d71aa88da47883c6df023", "sandboxStatus": null, "filename": "text.txt"}, {"md5": "fddffa81e7b4fe62073e0aab0336af76", "oContentType": "text/html", "contentType": "text/html", "disposition": "inline", "sha256": "43649abeaa49d66a1f4c36577251fd0578d6852c867d6fa4d3c26155eede56b0", "sandboxStatus": null, "filename": "text.html"}], "fromAddress": [], "QID": "2rbvw7q840-1", "xmailer": null, "senderIP": “1.1.1.1”, "sender": “plugh@company2.com”, "quarantineRule": null, "ccAddresses": [], "completelyRewritten": false, "messageTime": "2019-03-21T19:36:03.000Z", "recipient": [“xyzzy@company.com”], "messageSize": 3892, "headerReplyTo": null, "modulesRun": ["access", "smtpsrv", "av", "zerohour", "spf", "dkimv", "sandbox", "spam", "dmarc", "pdr", "urldefense"], "cluster": “prod_host”, "impostorScore": 0.0, "headerFrom": “Narf &lt;narf@company.com&gt; &lt;plugh@company2.com&gt;”, "GUID": "V-5swmMYZHoDpbgyPsQ9tN9LtKfCwHUK", "malwareScore": 100, "messageID": "&lt;8TJjwegKPa6rThF30mDqDCkVzV36CA8OoaMbImztyGguX8SRF7d@kp.org&gt;", "subject": “Narf Transaction for your invoice"} </CODE></PRE> <P>I'm seeing an issue where the sender value isn't extracted if the number of items in the threatsInfoMap is large. Does someone have a suggestion for counting the items in the threatsInfoMap so I can see if this is what is happening?</P> <P>TIA,<BR /> Joe</P> Thu, 21 Mar 2019 20:00:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-fields-inside-a-JSON-array/m-p/454243#M128527 jwhughes58 2019-03-21T20:00:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-fields-inside-a-JSON-array/m-p/454244#M128528 <P>My co-worker finally got enough time to look at this for me. The solution is</P> <P>| spath threatsInfoMap{} output=threatsElements <BR /> | stats count(threatsElements) AS threatsElementsCount by _time</P> Fri, 22 Mar 2019 18:31:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-fields-inside-a-JSON-array/m-p/454244#M128528 jwhughes58 2019-03-22T18:31:54Z