Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count fields from json file is not considering the repeating values

anooshac
Communicator
‎07-06-2022 04:58 AM

Hi all,

I have a json file in the format,

{ "NUM":"5",

"EXECUTION_DATE":04-07-2022,

"STATUS":"FAILURE",

"DURATION":5 hrs, 13 mins,

"PARTS":[

{ "NAME":"abc",

"PART_NO":[ "2634702", "2634456","2634890",] },

{ "NAME":"xyz",

"PART_NO":[ "2634702", ] },

] }

I wanted to calculate the count of PART_NO and plot it in a chart. The PART_NO are repeating and i want to calculate the repeated value also, i used count here. I used |timechart count(PARTS{}.PART_NO{}) but it is giving wrong count. Is there any different method to calculate the count?

Labels (3)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2022 05:16 AM

Hi @anooshac,

rename it or use before timechart or use quotes: sometimes with json fields there's some problem:

 

| rename  "NAME{}.PART_NO{}" AS PART_NO
| rimechart count BY PART_NO

 

Ciao.

Giuseppe

0 Karma
Reply

anooshac
Communicator
‎07-06-2022 06:23 AM

I want to get the chart for 2 data . If i use count by will i be able to get the data for 2 charts?

I used | timechart span=1d distinct_count(NUM), count(NAME{}.PART_NO{})

I used the solution you provided but the count is still not matching with the data i uploaded. The reeating values are not being considered. How to consider the repeating values for the count?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2022 05:13 AM

It should be PARTS not NAME

| timechart count by PARTS{}.PART_NO{}

That being said, in what way are the counts "wrong"?

0 Karma
Reply

anooshac
Communicator
‎07-06-2022 06:17 AM

Sorry i used the same. The count i got from the query does not match with the data i uploaded. The repeating values of the PART_NO are not considered eventhough i used count. How to consider the repeating values? Also  I wanted to plot chart for both NUM and PART_NO, used | timechart span=1d distinct_count(NUM), count(NAME{}.PART_NO{}). Used the solution given by you also. Still showing the same result.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...