Count values in array of objects based on other at...

krussche · ‎06-26-2020

I have an array of objects containing field componentType with value "Software" or "Licenses". In the same object there is a field downloadCount expressing how many files were downloaded for that software / license. I need to create a table where each row shows the total number of file downloads for both software and licenses per array of objects.
e.g.
Software Downloads. License Downloads

5 1

0 0

... ...

here is how one row of the data looks.
[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Any help is appreciated 🙂

to4kawa · ‎06-27-2020

sample:

| makeresults 
| eval _raw="[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]"
| multikv noheader=t
| kv
| stats sum(downloadCount) by componentType

but your log is not actual. so, kv can't work

krussche · ‎06-30-2020

Unfortunately this didn't work.

To clarify my results are tabled where each row in the table looks like this:

[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]

Then i need the resulting table to be like this

software License

5. 1 <-- from table row shown above

99 99. <-- next row from original table not shown

88. 88 <--3rd row in my original table not shown

Count values in array of objects based on other attributes in that object

count

field extraction

regex

stats

subsearch

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms