Solved: Re: How do we count the fields inside a JSON array...

yahoohunk · ‎04-08-2016

Each log entry contains some json. There is a field that is an array. I want to count the items in that array.

Example json data
{
"field1": "sample",
"messages": [
"noop",
"missing",
"error",
"unknown"
]
}

We've tried index="test_index" | spath input=log | regex id = "a|b" | stats count(messages)

Our desired output is something like:
id message count
a noop 5
a error 8

yahoohunk · ‎04-11-2016

Thanks for the suggestion martin_mueller. We got what we wanted by using the following.

index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}

yahoohunk · ‎04-11-2016

Thanks for the suggestion martin_mueller. We got what we wanted by using the following.

index="test_index" | spath input=log
| regex templateId = "10|15"
| stats count(eval(source == "mail")) AS COUNT by id,messages{}

martin_mueller · ‎04-08-2016

Assuming the array was extracted by the spath into the field messages{}, you can do this:

... | spath input=log | rename messages{} as messages | eval message_count = mvcount(messages) | stats sum(message_count)

How do we count the fields inside a JSON array?