my Splunk logs looks like below. Total keys could change based on use case. I need to get exact number of keys from below data and then what is the max key count among those. Please guide me here.
{
level: INFO
logger_name: com.123.logging
process: NA
requestId: 1234567
attribute: email
criteria: value
path: aa.bb.cc
service_name: SERVICE_NAME
thread_name: h1234567
timestamp: 2020-09-26T07:33:53.451Z
}
Do you mean "keys" as in, your example, 'level', 'logger_name', 'process', and so on?
If so, some variant of a search like
index=fw
| fieldsummary
| fields field, count
| search count>0 NOT field IN ("date*", "eventtype", "index", "linecount", "punct", "source", "sourcetype", "splunk_server", "splunk_server_group", "tag*", "timeendpos", "timestartpos")
| stats count
might do it. You'll have to remove the "stats count" at the end to double-check that all the Splunk built-in fields are removed in that `NOT field IN ....` part of the search.