Solved: Count distinct instances of a field which is an ar...

ojensen · ‎11-01-2023

Say I have events of the form:

{
    something: "cool",
    subfield: {
        this: "may contain",
        arbitrary: ["things"],
        and: {
            more: "stuff"
        }
    }
}

The internal structure of `subfield` is arbitrary. I would like to count how many different `subfield` values I have. How can I accomplish this?

My initial thought was maybe there was some function I could use to JSON encode the field, so that I could just have an

| eval subfieldstr = to_json_string(subfield)

and then I could just do a "stats dc" on subfieldstr, but I can't find such a function, and searching for it is difficult (there are endless results of people trying to do the exact opposite)

ojensen · ‎11-01-2023

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

View solution in original post

ojensen · ‎11-01-2023

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

Count distinct instances of a field which is an arbitrary structure

count

eval

stats

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?