Get count of top level keys from JSON?

Pramodkuber · ‎09-26-2020

my Splunk logs looks like below. Total keys could change based on use case. I need to get exact number of keys from below data and then what is the max key count among those. Please guide me here.

{
   level: INFO
   logger_name: com.123.logging
   process: NA
   requestId: 1234567
   attribute: email
   criteria: value
   path: aa.bb.cc
   service_name: SERVICE_NAME
   thread_name: h1234567
   timestamp: 2020-09-26T07:33:53.451Z
}

Richfez · ‎09-29-2020

Do you mean "keys" as in, your example, 'level', 'logger_name', 'process', and so on?

If so, some variant of a search like

index=fw 
| fieldsummary 
| fields field, count
| search count>0 NOT field IN ("date*", "eventtype", "index", "linecount", "punct", "source", "sourcetype", "splunk_server", "splunk_server_group", "tag*", "timeendpos", "timestartpos")
| stats count

might do it. You'll have to remove the "stats count" at the end to double-check that all the Splunk built-in fields are removed in that `NOT field IN ....` part of the search.

Get count of top level keys from JSON?

field extraction

JSON

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!