https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220946#M64920 <P>Is this what you are looking for? If not please post a few samples and a more detailed JSON file.</P> <PRE><CODE>your base search here | spath input=yourJsonField | stats sum(subdata*) as subdata* by id | stats max(subdata*) as subdata* </CODE></PRE> <P>Example with some data:</P> <PRE><CODE>| makeresults | eval _raw = " { \"id\": \"theid\", \"subdata\": [ { \"subname\": \"s1\", \"key1_foo\": 10, \"key1_bar\": 12, \"key2_foo\": 100, \"key2_bar\": 101}, {\"subname\": \"s2\", \"key1_foo\": 20, \"key1_bar\": 24, \"key2_foo\": 200, \"key2_bar\": 202} ] } " | spath input=_raw | stats sum(subdata*) as subdata* by id | stats max(subdata*) as subdata* </CODE></PRE> <P>Output:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1702i0F966EC409564D6A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 10 Aug 2016 10:54:55 GMT javiergn 2016-08-10T10:54:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220944#M64918 <P>I have JSON events with a sub list and want to sum similarly named fields for each event.</P> <PRE><CODE>{ "id": "theid", "subdata": [ { "subname": "s1", "key1_foo": 10, "key1_bar": 12, "key2_foo": 100, "key2_bar": 101}, {"subname": "s2", "key1_foo .... </CODE></PRE> <P>I would like to <CODE>chart max(sum_of_key1*), max(sum_of_key2*)</CODE> by the id<BR /> and also by subname.</P> <P>Any info would be appreciated.</P> <P>Thanks</P> Tue, 09 Aug 2016 23:52:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220944#M64918 unclethan 2016-08-09T23:52:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220945#M64919 <P>This is my go to article for this use case:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Spath#Example_3:_Extract_and_expand_JSON_events_with_multi-valued_fields">https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Spath#Example_3:_Extract_and_expand_JSON_events_with_multi-valued_fields</A></P> Wed, 10 Aug 2016 01:18:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220945#M64919 jkat54 2016-08-10T01:18:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220946#M64920 <P>Is this what you are looking for? If not please post a few samples and a more detailed JSON file.</P> <PRE><CODE>your base search here | spath input=yourJsonField | stats sum(subdata*) as subdata* by id | stats max(subdata*) as subdata* </CODE></PRE> <P>Example with some data:</P> <PRE><CODE>| makeresults | eval _raw = " { \"id\": \"theid\", \"subdata\": [ { \"subname\": \"s1\", \"key1_foo\": 10, \"key1_bar\": 12, \"key2_foo\": 100, \"key2_bar\": 101}, {\"subname\": \"s2\", \"key1_foo\": 20, \"key1_bar\": 24, \"key2_foo\": 200, \"key2_bar\": 202} ] } " | spath input=_raw | stats sum(subdata*) as subdata* by id | stats max(subdata*) as subdata* </CODE></PRE> <P>Output:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1702i0F966EC409564D6A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 10 Aug 2016 10:54:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220946#M64920 javiergn 2016-08-10T10:54:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220947#M64921 <P>Sorry I wasn't clear.<BR /> Your example gives a result per key1_* field, I need a sum over all the key1_fields, named key1, and the same for key2.</P> Tue, 29 Sep 2020 10:34:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220947#M64921 unclethan 2020-09-29T10:34:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220948#M64922 <P>If you have your data indexed as JSON, and all fields are extracted, this shoud work</P> <PRE><CODE>| rename subdata{}.* as * | stats sum(key1_*) as sum_key1_* sum(key2_*) as sum_key2_* </CODE></PRE> Wed, 10 Aug 2016 20:25:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220948#M64922 sundareshr 2016-08-10T20:25:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220949#M64923 <P>as I mentioned above, the summation is meant to be across similar keys within the json object, not per-key, across events.</P> Wed, 10 Aug 2016 20:31:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220949#M64923 unclethan 2016-08-10T20:31:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220950#M64924 <P>Replace the ... with the root searches:</P> <PRE><CODE>... | spath | rename subdata{}.key1* as key1* | stats sum(key1*) as key1* | addtotals key1* | append [ search ... | spath | rename subdata{}.key2* as key2* | stats sum(key2*) as key2* | addtotals key2* ] | transpose </CODE></PRE> Wed, 10 Aug 2016 22:05:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sum-similarly-named-fields-from-nested-JSON/m-p/220950#M64924 jkat54 2016-08-10T22:05:43Z