Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get count of top level keys from JSON?

Pramodkuber
Engager
‎09-26-2020 12:45 AM

my Splunk logs looks like below. Total keys could change based on use case. I need to get exact number of keys from below data and then what is the max key count among those. Please guide me here.

{
   level: INFO
   logger_name: com.123.logging
   process: NA
   requestId: 1234567
   attribute: email
   criteria: value
   path: aa.bb.cc
   service_name: SERVICE_NAME
   thread_name: h1234567
   timestamp: 2020-09-26T07:33:53.451Z
}

 

Labels (2)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-29-2020 11:27 AM

Do you mean "keys" as in, your example, 'level', 'logger_name', 'process', and so on?

If so, some variant of a search like

index=fw 
| fieldsummary 
| fields field, count
| search count>0 NOT field IN ("date*", "eventtype", "index", "linecount", "punct", "source", "sourcetype", "splunk_server", "splunk_server_group", "tag*", "timeendpos", "timestartpos")
| stats count

might do it.  You'll have to remove the "stats count" at the end to double-check that all the Splunk built-in fields are removed in that `NOT field IN ....` part of the search.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...