Re: Help with A table data with multiple JSON fiel...

shashaikhhh · ‎06-23-2022

I need count of cloudfront-viewer-country and sec-ch-ua-platform for each Origin

Please help.

Expected Result:

If site1 has only 2 countries and site2 has one extra platform, then the expected result should be like below.

Origin	Platform	Platform Count	Country	Country Count
https://www.site1.com	Android	10	US	22
	macOS	12	UK	3
	Windows	6
https://www.site2.com	Android	4	US	8
	macOS	4	UK	1
	Windows	2	AU	1
			IND	5

Data:

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

============

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "UK",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

=========================

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "AU",
"origin": "https://www.site2.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

yuanliu · ‎06-27-2022

What kamlesh_vaghela asks is an explanation of the requirement because the OP is extremely vague. For example, what constitutes a "Platform Count" and what constitutes a "Country Count"? Your illustrated outcome requires a lot more data than illustrated in the post, i.e., illustrated data is insufficient to produce the outcome, there is no mathematically unique solution.

Sometimes it is difficult to illustrate sufficient data. When this happens, the next best thing is to supply some pseudo code, or some of your failed code so others can more easily understand what you need.

After trying to assemble some scenarios to satisfy the outcome, I, too, failed to see what kind of data set can give you distinct "Platform Count" AND "Country Count" by origin. Please explain by additional data or by your attempted code.

kamlesh_vaghela · ‎06-24-2022

@shashaikhhh

Can you please share some sample RAW (_raw field) events and the expected output from those events?

Bcoz I'm not able identify which events would fall under this scenario

KV

shashaikhhh · ‎06-27-2022

{"additional":{"method":"POST","url":"/api/login/user","headers":{"accept-encoding":"gzip, deflate, br","appcontext":"marketplace","cloudfront-forwarded-proto":"https","cloudfront-is-desktop-viewer":"true","cloudfront-is-mobile-viewer":"false","cloudfront-is-smarttv-viewer":"false","cloudfront-is-tablet-viewer":"false","cloudfront-viewer-country":"","content-type":"application/json","origin":"https://www.myprepaidcenter.com","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"empty","sec-fetch-mode":"cors",,"connection":"Keep-Alive"},"body":{"agg":"prod-pri-b-10.185.32.135","index":"bhn_apps","host":"production-HI-Marketplace-Y"}

Help with A table data with multiple JSON fields

eval

join

stats

table

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation