Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate the count of a field for multivalued data?

anooshac
Communicator
‎10-15-2024 03:25 AM

I have JSON data which are multivalued. I want to create a overview table of the counts.

{
    "suite": [
        {
            "hostname": "localhost",
            "failures": 0,
            "package": "ABC",
            "tests": 0,
            "name": "ABC_test",
            "id": 0,
            "time": 0,
            "errors": 0,
            "testcase": [
                {
                    "classname": "xyz",
                    "name": "foo1",
                    "time": 0,
                    "status": "Passed"
                },
                {
                    "classname": "pqr",
                    "name": "foo2",
                    "time": 0,
                    "status": "Passed"
                },
               .
               .
               .
            ]
        }
    ]
}

This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work.

|spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL
| spath output=suite path=suite{}.name 
| spath output=case path=suite{}.case{}.name 
| spath output=Build_Num path=JenkinsMetaData.buildnumber 
| spath output=Status path=suite{}.case{}.status 
| fields - _raw
| eventstats max(Build_Num) as Latest_Build by Job_Name 
| where Latest_Build=Build_Num


| stats values(Build_Num) as Build_Num 
  count(eval(Status="Execution Failed" OR Status="Testcase_Failed"))
  AS Failed_cases, 
 count(eval(Status="Passed")) AS Passed_cases, 
  count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, 
  dc(case) as Total_cases 
  dc(suite) as "Total suite" 
  by Job_Name Build_Variant Jenkins_Server

When i do this Total_cases and Total suite are are correct, but other values are not correct.

But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value.

But my requirement is to create a table for all the projects.

Anyone know how to handle this?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2024 05:12 AM

Can you give an example of an event which generates the incorrect values? (Perhaps with the correct field names too?)

0 Karma
Reply

anooshac
Communicator
‎10-15-2024 08:49 PM

Hi, @ITWhisperer 

The events are like below.

 

 

{
    "MetaData": {
        "JENKINS_URL": "https://abc.com",
        "stagename": "ABC_CT",
        "variantname": "NEW_ABC",
        "jobname": "abc",
        "buildnumber": 29,
        "filename": "1729005933566.json"
    },
    "suite": {
        "hostname": "localhost",
        "failures": 0,
        "package": "ABC",
        "tests": 0,
        "name": "ABC_test",
        "id": 0,
        "time": 0,
        "errors": 0,
        "case": [
            {
                "classname": "xyz",
                "name": "foo1",
                "time": 0,
                "status": "Passed"
            },
            {
                "classname": "pqr",
                "name": "foo2",
                "time": 0,
                "status": "Passed"
            },
........
        ]
    }
}

 

 

there will be so many events like this for a single project and the values will be repeated in those events. Like suite, case will be repeated.

 

index=... sourcetype=...
|spath ...
| stats 
  count(eval(Status="Execution Failed" OR Status="case_Failed"))
  AS Failed_cases, 
 count(eval(Status="Passed")) AS Passed_cases, 
  count(eval(Status="Failed" OR Status="case_Error")) AS Execution_Failed_cases, 
  dc(case) as Total_cases 
  dc(suite) as "Total suite" 
  by Job_Name Build_Variant Jenkins_Server

 

I use spath to get every parameter, then i use them in the query.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-16-2024 03:06 AM

The stats command is counting events not occurrences of status values. You need to use mvexpand to separate out the test cases so you can count the individual status values.

| spath suite.case{} output=cases
| mvexpand cases
| spath input=cases status output=Status
| spath input=cases name output=case
| spath suite.name output=suite
| spath MetaData.jobname output=Job_Name
| spath MetaData.buildnumber output=Build_Variant
| spath MetaData.JENKINS_URL output=Jenkins_Server
| stats 
  count(eval(Status="Execution Failed" OR Status="case_Failed"))
  AS Failed_cases, 
 count(eval(Status="Passed")) AS Passed_cases, 
  count(eval(Status="Failed" OR Status="case_Error")) AS Execution_Failed_cases, 
  dc(case) as Total_cases 
  dc(suite) as "Total suite" 
  by Job_Name Build_Variant Jenkins_Server
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...