Getting Data In

parsing of array in splunk mvfilter

dtakacssplunk
Explorer

In my data I have rows such as this:

{"calls":[{"call":"a","ts":"1","context":{"cached":"false"}},{"call":"b","ts":"2","context":{"cached":"true"}},{"call":"c","ts":"3","context":{"cached":"true"}},{"call":"d","ts":"4","context":{"cached":"true"}}]}

I want to find the rows which happened at ts <= 3 and see what % of them were are cached or not

I have the query:

index=*  | stats count | eval cutoffts=3 | eval calls="{\"calls\":[{\"call\":\"a\",\"ts\":\"1\",\"context\":{\"cached\":\"false\"}},{\"call\":\"b\",\"ts\":\"2\",\"context\":{\"cached\":\"true\"}},{\"call\":\"c\",\"ts\":\"3\",\"context\":{\"cached\":\"true\"}},{\"call\":\"d\",\"ts\":\"4\",\"context\":{\"cached\":\"true\"}}]}" | eval callsarr=spath(calls,"calls{}") | eval callsts=spath(calls, "calls{}.ts") | eval callscachedarr=spath(calls, "calls{}.context.cached") | eval callscachedarrtrue=mvcount(mvfilter(callscachedarr="true")) | eval callscachedarrfalse=mvcount(mvfilter(callscachedarr="false")) | fillnull value=0 callscachedarrtrue callscachedarrfalse | eval cachedprecentage=callscachedarrtrue/(callscachedarrtrue+callscachedarrfalse)| table calls callsarr callsts callscachedarr callscachedarrtrue callscachedarrfalse cachedprecentage

alt text

Unfortunately, I'm unable to filter the array to only the elements that had ts <=3.... so i end up with 3/4 = .75 instead of 2/3=.66

Tags (1)
0 Karma

harsmarvania57
Ultra Champion

Hi,

Can you please try below query ?

<yourBaseSearch>
| spath
| rename calls{}.* as *
| rename "context.cached" as cached
| eval temp=mvzip(call,ts), temp1=mvzip(temp,cached)
| mvexpand temp1
| eval call=mvindex(split(temp1,","),0), ts=mvindex(split(temp1,","),1), cached=mvindex(split(temp1,","),2)
| where ts<=3
| stats count as TotalCount, sum(eval(if(cached="true",1,0))) as TrueCount
| eval Percentage=(TrueCount/TotalCount)*100

Below is run anywhere search which is generating 3 Columns, TotalCount, TrueCount and Percentage

| makeresults
| eval _raw="{\"calls\":[{\"call\":\"a\",\"ts\":\"1\",\"context\":{\"cached\":\"false\"}},{\"call\":\"b\",\"ts\":\"2\",\"context\":{\"cached\":\"true\"}},{\"call\":\"c\",\"ts\":\"3\",\"context\":{\"cached\":\"true\"}},{\"call\":\"d\",\"ts\":\"4\",\"context\":{\"cached\":\"true\"}}]}"
| spath
| rename calls{}.* as *
| rename "context.cached" as cached
| eval temp=mvzip(call,ts), temp1=mvzip(temp,cached)
| mvexpand temp1
| eval call=mvindex(split(temp1,","),0), ts=mvindex(split(temp1,","),1), cached=mvindex(split(temp1,","),2)
| where ts<=3
| stats count as TotalCount, sum(eval(if(cached="true",1,0))) as TrueCount
| eval Percentage=(TrueCount/TotalCount)*100
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...