Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Count values in array of objects based on other attributes in that object

krussche
Observer
Friday

I have an array of objects containing  field componentType with value "Software" or "Licenses".  In the same object there is a field downloadCount expressing how many files were downloaded for that software / license.  I need to create a table where each row shows the total number of file downloads for both software and licenses per array of objects.
e.g.
Software Downloads.    License Downloads

5                                                1

0                                               0

...                                               ...

here is how one row of the data looks.
[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Any help is appreciated 🙂

0 Karma
Reply
Highlighted

Re: Count values in array of objects based on other attributes in that object

to4kawa
Ultra Champion
Saturday

sample:

| makeresults 
| eval _raw="[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]"
| multikv noheader=t
| kv
| stats sum(downloadCount) by componentType

but your log is not actual. so, kv can't work

0 Karma
Reply
Highlighted

Re: Count values in array of objects based on other attributes in that object

krussche
Observer
yesterday

Unfortunately this didn't work.  

To clarify my results are tabled where each row in the table looks like this:

[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Then i need the resulting table to be like this

software    License

5.                   1           <-- from table row shown above

99                  99.      <-- next row from original table not shown

88.                 88       <--3rd row in my original table not shown

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.