parsing of array in splunk mvfilter

dtakacssplunk · ‎12-17-2018

In my data I have rows such as this:

{"calls":[{"call":"a","ts":"1","context":{"cached":"false"}},{"call":"b","ts":"2","context":{"cached":"true"}},{"call":"c","ts":"3","context":{"cached":"true"}},{"call":"d","ts":"4","context":{"cached":"true"}}]}

I want to find the rows which happened at ts <= 3 and see what % of them were are cached or not

I have the query:

index=*  | stats count | eval cutoffts=3 | eval calls="{\"calls\":[{\"call\":\"a\",\"ts\":\"1\",\"context\":{\"cached\":\"false\"}},{\"call\":\"b\",\"ts\":\"2\",\"context\":{\"cached\":\"true\"}},{\"call\":\"c\",\"ts\":\"3\",\"context\":{\"cached\":\"true\"}},{\"call\":\"d\",\"ts\":\"4\",\"context\":{\"cached\":\"true\"}}]}" | eval callsarr=spath(calls,"calls{}") | eval callsts=spath(calls, "calls{}.ts") | eval callscachedarr=spath(calls, "calls{}.context.cached") | eval callscachedarrtrue=mvcount(mvfilter(callscachedarr="true")) | eval callscachedarrfalse=mvcount(mvfilter(callscachedarr="false")) | fillnull value=0 callscachedarrtrue callscachedarrfalse | eval cachedprecentage=callscachedarrtrue/(callscachedarrtrue+callscachedarrfalse)| table calls callsarr callsts callscachedarr callscachedarrtrue callscachedarrfalse cachedprecentage

Unfortunately, I'm unable to filter the array to only the elements that had ts <=3.... so i end up with 3/4 = .75 instead of 2/3=.66

harsmarvania57 · ‎12-18-2018

Hi,

Can you please try below query ?

<yourBaseSearch>
| spath
| rename calls{}.* as *
| rename "context.cached" as cached
| eval temp=mvzip(call,ts), temp1=mvzip(temp,cached)
| mvexpand temp1
| eval call=mvindex(split(temp1,","),0), ts=mvindex(split(temp1,","),1), cached=mvindex(split(temp1,","),2)
| where ts<=3
| stats count as TotalCount, sum(eval(if(cached="true",1,0))) as TrueCount
| eval Percentage=(TrueCount/TotalCount)*100

Below is run anywhere search which is generating 3 Columns, TotalCount, TrueCount and Percentage

| makeresults
| eval _raw="{\"calls\":[{\"call\":\"a\",\"ts\":\"1\",\"context\":{\"cached\":\"false\"}},{\"call\":\"b\",\"ts\":\"2\",\"context\":{\"cached\":\"true\"}},{\"call\":\"c\",\"ts\":\"3\",\"context\":{\"cached\":\"true\"}},{\"call\":\"d\",\"ts\":\"4\",\"context\":{\"cached\":\"true\"}}]}"
| spath
| rename calls{}.* as *
| rename "context.cached" as cached
| eval temp=mvzip(call,ts), temp1=mvzip(temp,cached)
| mvexpand temp1
| eval call=mvindex(split(temp1,","),0), ts=mvindex(split(temp1,","),1), cached=mvindex(split(temp1,","),2)
| where ts<=3
| stats count as TotalCount, sum(eval(if(cached="true",1,0))) as TrueCount
| eval Percentage=(TrueCount/TotalCount)*100

parsing of array in splunk mvfilter

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services