topic Number of fields occurrence in json data in Splunk Search

Number of fields occurrence in json data

govindparashar1 — Wed, 30 Sep 2020 03:17:59 GMT

I have below data

`
{ [-]
context: { [+]
}
level: INFO
logger: x.x.x.xxx.service.xxxService
msg: Filtered statements for account XXXXX: DocumentReferences[references=[DocumentReference[reference=0000001,name=XXXXX_2019,mimeType=APPLICATION_PDF,documentType=ANNUAL_STATEMENT,creationDate=2019-11-18T13:37:13.000Z], DocumentReference[reference=0000002,name=XXXXX_2018,mimeType=APPLICATION_PDF,documentType=ANNUAL_STATEMENT,creationDate=2019-12-03T10:54:47.000Z], DocumentReference[reference=0000003,name=XXXXX_2017,mimeType=APPLICATION_PDF,documentType=ANNUAL_STATEMENT,creationDate=2019-12-03T11:00:52.000Z]]]

}
`
I want to search more than one ANNUAL_STATEMENT occurrence . As above data have 3 statement then this result should return in table

Re: Number of fields occurrence in json data

Anantha123 — Tue, 10 Dec 2019 17:44:38 GMT

Hi ,

try this

base query| spath | stats count(**documentType) as DocType, values(**reference) as Reference , values(**name) as Name by **msg| rex field=**msg "Filtered\sstatements\sfor\saccount\s(?P<AccountNo>[^\:]+)" | search DocType > 1 | table AccountNo , Name, Reference, DocType.

Here when we use spath , fields are automatically extracted . Choose the right field name that is under interesting fileds and put in above query and try .

Thanks
Anantha.

Re: Number of fields occurrence in json data

dindu — Tue, 10 Dec 2019 19:04:45 GMT

Hi Govind,

You need to parse the JSON logs to achieve this.
To parse the logs - you need to trim down the events to make it as exact JSON Splunk expects.
Use regex or replace functionality for that.

You could use the below query after that.

|your_query
|search documentType="ANNUAL_STATEMENT"
|stats list (reference),list(name),list(mimeType),list(documentType),list(creationDate)
|where mvcount(documentType)>1