https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514801#M144508 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;Sorry! I was using the highlighted syntax mode in Splunk. Thanks for correcting that.</P> Tue, 18 Aug 2020 23:51:51 GMT chtmai 2020-08-18T23:51:51Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514789#M144501 <P>I have this data coming in every minute to monitor application performance:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "events": [ { "appId": "mock-app", "eventType": "WorkflowRequestFailedCount", "failureType": "wf.execution.error", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 15, "workflowId": "create" }, { "appId": "mock-app", "eventType": "WorkflowRequestProcessedCount", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 0 }, { "appId": "mock-app", "eventType": "WorkflowRequestReceivedCount", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 20, "workflowId": "create" } ] }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I need a query (to set up an alert) that identifies when <STRONG>throughput</STRONG> is GREATER than 0 for throughput nested with&nbsp;<STRONG>eventType</STRONG> <STRONG>= WorkflowRequestFailedCount</STRONG>. I can't figure out how to isolate the throughput count between different <STRONG>eventType</STRONG> items when they are both nested within the same <STRONG>events</STRONG> object as shown above.</P><P>For the JSON shown above, the correct query should trigger an alert because the throughput for&nbsp;<STRONG>WorkflowRequestFailedCount&nbsp;</STRONG>is 15 (greater than 0).</P><P>Appreciate the help.</P> Tue, 18 Aug 2020 23:52:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514789#M144501 chtmai 2020-08-18T23:52:47Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514795#M144503 <P>your sample is not valid json.<BR />Splunk can't extract invalid json.<BR />We can't create a solution with the wrong sample.<BR /><BR /></P> Tue, 18 Aug 2020 23:24:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514795#M144503 to4kawa 2020-08-18T23:24:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514797#M144504 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;Updated! Does this help?</P> Tue, 18 Aug 2020 23:33:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514797#M144504 chtmai 2020-08-18T23:33:49Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514800#M144507 <LI-CODE lang="markup">{ "events": [ { "appId": "mock-app", "eventType": "WorkflowRequestFailedCount", "failureType": "wf.execution.error", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 15, "workflowId": "create" }, { "appId": "mock-app", "eventType": "WorkflowRequestProcessedCount", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 0 }, { "appId": "mock-app", "eventType": "WorkflowRequestReceivedCount", "metricType": "COUNTER", "requestType": "WORKFLOW", "throughput": 20, "workflowId": "create" } ] }</LI-CODE><P>this is valid JSON. your JSON is not valid.<BR /><BR /></P> Tue, 18 Aug 2020 23:49:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514800#M144507 to4kawa 2020-08-18T23:49:39Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514801#M144508 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;Sorry! I was using the highlighted syntax mode in Splunk. Thanks for correcting that.</P> Tue, 18 Aug 2020 23:51:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514801#M144508 chtmai 2020-08-18T23:51:51Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514803#M144509 <P>| spath events{} output=events<BR />| mvexpand events<BR />| spath input=events<BR />| fields - events* _raw<BR />| search throughput &gt; 0 AND eventType = WorkflowRequestFailedCount<BR />| table *</P> Tue, 18 Aug 2020 23:55:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-count-of-specific-event-from-nested-JSON/m-p/514803#M144509 to4kawa 2020-08-18T23:55:05Z