Re: A table data with multiple JSON fields

shashaikhhh · ‎06-23-2022

I need count of cloudfront-viewer-country and sec-ch-ua-platform for each Origin

Please help.

Expected Result:

If site1 has only 2 countries and site2 has one extra platform, then the expected result should be like below.

Origin	Platform	Platform Count	Country	Country Count
https://www.site1.com	Android	10	US	22
	macOS	12	UK	3
	Windows	6
https://www.site2.com	Android	4	US	8
	macOS	4	UK	1
	Windows	2	AU	1
			IND	5

Data:

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

============

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "UK",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

=========================

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "AU",
"origin": "https://www.site2.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

yuanliu · ‎06-27-2022

What kamlesh_vaghela asks is an explanation of the requirement because the OP is extremely vague. For example, what constitutes a "Platform Count" and what constitutes a "Country Count"? Your illustrated outcome requires a lot more data than illustrated in the post, i.e., illustrated data is insufficient to produce the outcome, there is no mathematically unique solution.

Sometimes it is difficult to illustrate sufficient data. When this happens, the next best thing is to supply some pseudo code, or some of your failed code so others can more easily understand what you need.

After trying to assemble some scenarios to satisfy the outcome, I, too, failed to see what kind of data set can give you distinct "Platform Count" AND "Country Count" by origin. Please explain by additional data or by your attempted code.

kamlesh_vaghela · ‎06-24-2022

@shashaikhhh

Can you please share some sample RAW (_raw field) events and the expected output from those events?

Bcoz I'm not able identify which events would fall under this scenario

KV

shashaikhhh · ‎06-27-2022

{"additional":{"method":"POST","url":"/api/login/user","headers":{"accept-encoding":"gzip, deflate, br","appcontext":"marketplace","cloudfront-forwarded-proto":"https","cloudfront-is-desktop-viewer":"true","cloudfront-is-mobile-viewer":"false","cloudfront-is-smarttv-viewer":"false","cloudfront-is-tablet-viewer":"false","cloudfront-viewer-country":"","content-type":"application/json","origin":"https://www.myprepaidcenter.com","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"empty","sec-fetch-mode":"cors",,"connection":"Keep-Alive"},"body":{"agg":"prod-pri-b-10.185.32.135","index":"bhn_apps","host":"production-HI-Marketplace-Y"}

Help with A table data with multiple JSON fields

eval

join

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation