Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count distinct instances of a field which is an arbitrary structure

ojensen
Explorer
‎11-01-2023 02:12 PM

Say I have events of the form:

{
    something: "cool",
    subfield: {
        this: "may contain",
        arbitrary: ["things"],
        and: {
            more: "stuff"
        }
    }
}

The internal structure of `subfield` is arbitrary. I would like to count how many different `subfield` values I have. How can I accomplish this?

My initial thought was maybe there was some function I could use to JSON encode the field, so that I could just have an

| eval subfieldstr = to_json_string(subfield)

and then I could just do a "stats dc" on subfieldstr, but I can't find such a function, and searching for it is difficult (there are endless results of people trying to do the exact opposite)

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ojensen
Explorer
‎11-01-2023 02:33 PM

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ojensen
Explorer
‎11-01-2023 02:33 PM

After a lot of experimentation, I've found that I can convert a field into a json-encoded string by simply extracting it from _raw, since json_extract does not seem to operate recursively. It's a bit of a roundabout way of getting there, but it seems to do the trick. So essentially I can do

index=whatever my search here
| eval subfieldstr = json_extract(_raw, "subfield")
| stats dc(subfieldstr) as count

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...