Count values in array of objects based on other at...

krussche · ‎06-26-2020

I have an array of objects containing field componentType with value "Software" or "Licenses". In the same object there is a field downloadCount expressing how many files were downloaded for that software / license. I need to create a table where each row shows the total number of file downloads for both software and licenses per array of objects.
e.g.
Software Downloads. License Downloads

5 1

0 0

... ...

here is how one row of the data looks.
[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Any help is appreciated 🙂

to4kawa · ‎06-27-2020

sample:

| makeresults 
| eval _raw="[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]"
| multikv noheader=t
| kv
| stats sum(downloadCount) by componentType

but your log is not actual. so, kv can't work

krussche · ‎06-30-2020

Unfortunately this didn't work.

To clarify my results are tabled where each row in the table looks like this:

[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Then i need the resulting table to be like this

software License

5. 1 <-- from table row shown above

99 99. <-- next row from original table not shown

88. 88 <--3rd row in my original table not shown

Count values in array of objects based on other attributes in that object

count

field extraction

regex

stats

subsearch

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Count values in array of objects based on other attributes in that object