Splunk Search

How do we count the fields inside a JSON array?

yahoohunk
Explorer

Each log entry contains some json. There is a field that is an array. I want to count the items in that array.

Example json data
{
"field1": "sample",
"messages": [
"noop",
"missing",
"error",
"unknown"
]
}

We've tried index="test_index" | spath input=log | regex id = "a|b" | stats count(messages)

Our desired output is something like:
id message count
a noop 5
a error 8

Tags (3)
0 Karma
1 Solution

yahoohunk
Explorer

Thanks for the suggestion martin_mueller. We got what we wanted by using the following.

index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}

View solution in original post

0 Karma

yahoohunk
Explorer

Thanks for the suggestion martin_mueller. We got what we wanted by using the following.

index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming the array was extracted by the spath into the field messages{}, you can do this:

... | spath input=log | rename messages{} as messages | eval message_count = mvcount(messages) | stats sum(message_count)
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...