Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve grouping the results using field present inside a json array?

ghostrider
Path Finder
‎09-29-2022 11:14 PM

I have below format log messages. At the end I want to group the messages by BID. I tried using the below query but I am not getting any events even though there are events that qualify my query. 

 

 

{
"details" : [
{
"BID" : "123"
},
{
"BID" :  "456"
}
]
}

 

 

 

Expected Output : 

 

BID  Count
123  4
456  3

 

 

Query I am using :

 

{my_search}
| rex field=MESSAGE "(?<JSON>\{.*\})"
| spath input=JSON path=details.BID
| stats values(details.BID) as "BID" by CORRID
| stats count as Count by "BID"

 

 

0 Karma
Reply

ghostrider
Path Finder
‎10-03-2022 05:04 AM

Thanks you so much!! I just had one doubt. So these BIDs correspond to some static fields which describe what BID is. Like BID :  123 corresponds to Apple. This detail/description is however not present in the events or search results. Is there any way to configure these as static fields which will get displayed when the billing code is displayed Like below

Output

Description BID  Count
Apple       123  4
Orange      456  3



0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-03-2022 07:24 AM

@ghostrider 

You can create a lookup with BID and description mapping. And use the lookup in your search.

BID,Description
123,Apple

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/ConfigureCSVlookups

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Lookup

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-29-2022 11:57 PM

@ghostrider 

Can you please try this?

YOUR_SEARCH
| rename "details{}.BID" as BID
| stats count as Count by BID

OR

YOUR_SEARCH | spath
| rename "details{}.BID" as BID
| stats count as Count by BID

 

My Sample Search :

| makeresults | eval _raw="{
\"details\" : [
{
\"BID\" : \"123\"
},
{
\"BID\" :  \"456\"
}
]
}" | spath
| rename "details{}.BID" as BID
| stats count as Count by BID

 

Screenshot 2022-09-30 at 12.26.58 PM.png

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...