Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count values in array of objects based on othe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count values in array of objects based on other attributes in that object
I have an array of objects containing field componentType with value "Software" or "Licenses". In the same object there is a field downloadCount expressing how many files were downloaded for that software / license. I need to create a table where each row shows the total number of file downloads for both software and licenses per array of objects.
e.g.
Software Downloads. License Downloads
5 1
0 0
... ...
here is how one row of the data looks.
[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]
Any help is appreciated 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample:
| makeresults
| eval _raw="[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]"
| multikv noheader=t
| kv
| stats sum(downloadCount) by componentTypebut your log is not actual. so, kv can't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this didn't work.
To clarify my results are tabled where each row in the table looks like this:
[
{componentType=Software, downloadCount=2},
{componentType=License, downloadCount=1},
{componentType=Software, downloadCount=3}
]Then i need the resulting table to be like this
software License
5. 1 <-- from table row shown above
99 99. <-- next row from original table not shown
88. 88 <--3rd row in my original table not shown
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
