Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get count of top level keys from JSON?

Pramodkuber
Engager
‎09-26-2020 12:45 AM

my Splunk logs looks like below. Total keys could change based on use case. I need to get exact number of keys from below data and then what is the max key count among those. Please guide me here.

{
   level: INFO
   logger_name: com.123.logging
   process: NA
   requestId: 1234567
   attribute: email
   criteria: value
   path: aa.bb.cc
   service_name: SERVICE_NAME
   thread_name: h1234567
   timestamp: 2020-09-26T07:33:53.451Z
}

 

Labels (2)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-29-2020 11:27 AM

Do you mean "keys" as in, your example, 'level', 'logger_name', 'process', and so on?

If so, some variant of a search like

index=fw 
| fieldsummary 
| fields field, count
| search count>0 NOT field IN ("date*", "eventtype", "index", "linecount", "punct", "source", "sourcetype", "splunk_server", "splunk_server_group", "tag*", "timeendpos", "timestartpos")
| stats count

might do it.  You'll have to remove the "stats count" at the end to double-check that all the Splunk built-in fields are removed in that `NOT field IN ....` part of the search.

 

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...