Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to aggregate results by elements in the array, and sort them by ratio

karol
Engager
‎09-07-2025 09:07 PM

I got my data stream in a following format:

[
    {
        "name": "event 1"
        "attributes": [false, true, true],
    },
    {
        "name": "event 2"
        "attributes": [false, false, true],
    }
]

I want to output them sorting by a ratio of `true` to `false` values in the array:

name| true count | false count | percentage

event 1 | 2 | 1 | 66.67%
event 2 | 1 | 2 | 33.33%

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎09-07-2025 09:33 PM

@karol 

You can use spath and mvexpand on your field.

| spath input=attributes
| mvexpand attributes
| eval true_count=if(attributes="true", 1, 0), false_count=if(attributes="false", 1, 0)
| stats sum(true_count) as true_count sum(false_count) as false_count by name
| eval percentage=round((true_count / (true_count + false_count)) * 100, 2)
| sort - percentage

demo12.JPG

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎09-07-2025 09:33 PM

@karol 

You can use spath and mvexpand on your field.

| spath input=attributes
| mvexpand attributes
| eval true_count=if(attributes="true", 1, 0), false_count=if(attributes="false", 1, 0)
| stats sum(true_count) as true_count sum(false_count) as false_count by name
| eval percentage=round((true_count / (true_count + false_count)) * 100, 2)
| sort - percentage

demo12.JPG

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...