- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each log entry contains some json. There is a field that is an array. I want to count the items in that array.
Example json data
{
"field1": "sample",
"messages": [
"noop",
"missing",
"error",
"unknown"
]
}
We've tried index="test_index" | spath input=log | regex id = "a|b" | stats count(messages)
Our desired output is something like:
id message count
a noop 5
a error 8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion martin_mueller. We got what we wanted by using the following.
index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion martin_mueller. We got what we wanted by using the following.
index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Assuming the array was extracted by the spath
into the field messages{}
, you can do this:
... | spath input=log | rename messages{} as messages | eval message_count = mvcount(messages) | stats sum(message_count)
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""