Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I count mv fields by type?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akshaysaraf
Explorer
03-02-2020
05:11 PM
My data looks like:
{
parent_id: 1
child_info: [
{
id: 123,
status: "PASS"
},
{
id: 456,
status: "FAIL"
}
]
}
I am trying to print the result in format:
parent ID | Child_Passed_count | Child_Failed_count
1 1 1
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2020
10:09 PM
This is another case of FIX YOUR BROKEN JSON. Here is how you can manually fix it but really, get it fixed at the source:
| makeresults
| eval _raw = "{
parent_id: 1
child_info: [
{
id: 123,
status: \"PASS\"
},
{
id: 456,
status: \"FAIL\"
},
{
id: 457,
status: \"FAIL\"
}
]
}"
| rename COMMENT AS "Everything above generates BROKEN JSON; everything below is your solution"
| rex mode=sed "s/([\r\n\s]+)([^\r\n\s\"]+):/\1\"\2\":/g s/([^{\[\r\n\s:,])([\r\n\s]+\")/\1,\2/g"
| kv
| chart count BY parent_id child_info{}.status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2020
10:09 PM
This is another case of FIX YOUR BROKEN JSON. Here is how you can manually fix it but really, get it fixed at the source:
| makeresults
| eval _raw = "{
parent_id: 1
child_info: [
{
id: 123,
status: \"PASS\"
},
{
id: 456,
status: \"FAIL\"
},
{
id: 457,
status: \"FAIL\"
}
]
}"
| rename COMMENT AS "Everything above generates BROKEN JSON; everything below is your solution"
| rex mode=sed "s/([\r\n\s]+)([^\r\n\s\"]+):/\1\"\2\":/g s/([^{\[\r\n\s:,])([\r\n\s]+\")/\1,\2/g"
| kv
| chart count BY parent_id child_info{}.status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akshaysaraf
Explorer
03-03-2020
03:30 PM
Actually I didn't add double quotes while asking this question, the data in production server does have it.
I was trying it with stats, but wasn't giving expected result. Thank You for you help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-03-2020
08:23 PM
That would have saved me 90% of my effort.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
03-02-2020
09:51 PM
Try using this
<your base search>
| rex "(?<json>\{.+)" | spath input=json | fields - json
| rename child_info{}.id AS child_id child_info{}.status AS child_status
| mvexpand child_status
| stats count(eval(child_status=="PASS")) as Child_Passed_count count(eval(child_status=="FAIL")) as Child_Failed_count by parent_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anmolpatel
Builder
03-02-2020
09:02 PM
| makeresults
| eval jsonTest = "{
\"parent_id\": 1,
\"child_info\": [
{
\"id\": \"123\",
\"status\": \"PASS\"
},
{
\"id\": \"456\",
\"status\": \"FAIL\"
},
{
\"id\": \"457\",
\"status\": \"FAIL\"
}
]
}"
| spath input=jsonTest path=parent_id output=parent_id
| spath input=jsonTest output=id_initial path=child_info{}.id
| spath input=jsonTest output=status_initial path=child_info{}.status
| eval val = mvzip(id_initial, status_initial)
| mvexpand val
| eval mvVal = split(val, ",")
| eval id = mvindex(mvVal, 0)
| eval status = mvindex(mvVal, 1)
| stats count(eval(status=="PASS")) as Child_Passed_count count(eval(status=="FAIL")) as Child_Failed_count by parent_id
parent_id Child_Passed_count Child_Failed_count
1 1 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akshaysaraf
Explorer
03-02-2020
09:07 PM
Thank you, but in my production server I have about 500,000 events which means 500,000 parent ID's, and each parent has about 200 child records. When I mvexpand for such fields I run out of memory and the search truncates my result. Is there a way of doing it without mvexpand?
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)
Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...
Index This | I am a number but I am countless. What am I?
January 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
Happy New Year! We’re ...
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
PLATFORM TECH TALKS
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
Thursday, February 27, ...
