Solved: Count distinct instances of a field which is an ar...

ojensen · ‎11-01-2023

Say I have events of the form:

{
    something: "cool",
    subfield: {
        this: "may contain",
        arbitrary: ["things"],
        and: {
            more: "stuff"
        }
    }
}

The internal structure of `subfield` is arbitrary. I would like to count how many different `subfield` values I have. How can I accomplish this?

My initial thought was maybe there was some function I could use to JSON encode the field, so that I could just have an

| eval subfieldstr = to_json_string(subfield)

and then I could just do a "stats dc" on subfieldstr, but I can't find such a function, and searching for it is difficult (there are endless results of people trying to do the exact opposite)

ojensen · ‎11-01-2023

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

View solution in original post

ojensen · ‎11-01-2023

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

Count distinct instances of a field which is an arbitrary structure

count

eval

stats

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?