Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve grouping the results using field present inside a json array?

ghostrider
Path Finder
‎09-29-2022 11:14 PM

I have below format log messages. At the end I want to group the messages by BID. I tried using the below query but I am not getting any events even though there are events that qualify my query. 

 

 

{
"details" : [
{
"BID" : "123"
},
{
"BID" :  "456"
}
]
}

 

 

 

Expected Output : 

 

BID  Count
123  4
456  3

 

 

Query I am using :

 

{my_search}
| rex field=MESSAGE "(?<JSON>\{.*\})"
| spath input=JSON path=details.BID
| stats values(details.BID) as "BID" by CORRID
| stats count as Count by "BID"

 

 

0 Karma
Reply

ghostrider
Path Finder
‎10-03-2022 05:04 AM

Thanks you so much!! I just had one doubt. So these BIDs correspond to some static fields which describe what BID is. Like BID :  123 corresponds to Apple. This detail/description is however not present in the events or search results. Is there any way to configure these as static fields which will get displayed when the billing code is displayed Like below

Output

Description BID  Count
Apple       123  4
Orange      456  3



0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-03-2022 07:24 AM

@ghostrider 

You can create a lookup with BID and description mapping. And use the lookup in your search.

BID,Description
123,Apple

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/ConfigureCSVlookups

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Lookup

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-29-2022 11:57 PM

@ghostrider 

Can you please try this?

YOUR_SEARCH
| rename "details{}.BID" as BID
| stats count as Count by BID

OR

YOUR_SEARCH | spath
| rename "details{}.BID" as BID
| stats count as Count by BID

 

My Sample Search :

| makeresults | eval _raw="{
\"details\" : [
{
\"BID\" : \"123\"
},
{
\"BID\" :  \"456\"
}
]
}" | spath
| rename "details{}.BID" as BID
| stats count as Count by BID

 

Screenshot 2022-09-30 at 12.26.58 PM.png

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...