topic Re: Getting Count of specific value in json formatted log in Splunk Search

Getting Count of specific value in json formatted log

kahlerb — Tue, 29 Sep 2020 07:20:18 GMT

I have a json splunk log, and I need to get the count of the number of times the "message" field is equal to "Total request time". This same template is used for most all the logs, so the "message" field can have several different values.

{
api: my-fancy-api
app: MyApp
category: RESP_TIME
message: Total request time
reference_id: MyID123123
session_id: 1442877284-39497
time: 09-21-2015 23:14:45.023 +0000
total_request_time: 0.557
units: seconds
}

EDIT:
Ultimately I will need to get the count of multiple values for "message" in the same search string. One count for "Total request time" and then another count for "Sub-request time" etc.

Re: Getting Count of specific value in json formatted log

somesoni2 — Thu, 24 Sep 2015 18:09:16 GMT

Assuming you've setup KV_MODE=json to correctly parse the fields from your json data, try something like this

your base search message="Total request time" | stats count

Re: Getting Count of specific value in json formatted log

kahlerb — Thu, 24 Sep 2015 18:21:04 GMT

Thank you for the quick answer... please see the clarification I added with the edit.