Solved: Re: Grouping by items in an array

Maurice · ‎07-09-2021

Hi,

I'm hoping someone can help me out here.

I have a property(books) on each event which holds an array of objects.

I would like to group by books{}.name with count on y axis and create a bar chart.

I tried using top books{}.name but this does not seem to give the correct results, seems to miss out on some groups all together

{

books:[

{name: "book1"},

{name: "book2"},

{name: "book3"},

{name: "book1"},

]

}

Would you have an idea of how to fix this,

Kind Regards,

Maurice

ITWhisperer · ‎07-09-2021

Are you extracting the fields with spath first?

| makeresults 
| eval _raw="{
\"books\":[
{\"name\": \"book1\"},
{\"name\": \"book2\"},
{\"name\": \"book3\"},
{\"name\": \"book3\"},
{\"name\": \"book1\"},
{\"name\": \"book1\"},
      ]
}"
| spath
| top books{}.name

View solution in original post

ITWhisperer · ‎07-09-2021

Are you extracting the fields with spath first?

| makeresults 
| eval _raw="{
\"books\":[
{\"name\": \"book1\"},
{\"name\": \"book2\"},
{\"name\": \"book3\"},
{\"name\": \"book3\"},
{\"name\": \"book1\"},
{\"name\": \"book1\"},
      ]
}"
| spath
| top books{}.name

Maurice · ‎07-12-2021

Thanks a million for the reply.

It really helped focus me in the correct direction.

I ended up having to put an explicit spath before each of my search command that referenced one of the complex object properties.

similar to:

| spath books{}.name
| search books{}.name
| top books{}.name

Grouping by items in an array

JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation