Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to build stats on JSON data?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
developer_de
New Member
05-28-2018
01:21 PM
Hi,
I would like to get help on applying stats on the following JSON data:
{
"ts":1527498793267,
"version":"1.12.7",
"data":{
"myList":[
{
"id":"180528_090203",
"nativeRequestReceived":1,
"nativeResponseSent":1
},
{
"id":"180528_090129",
"nativeRequestReceived":1,
"nativeResponseSent":1
}
],
"freemem":6534152192
},
"time":"2018-05-28T09:13:13.267Z",
"v":0
}
I started writing the query as written below, but it doesn't give desired result. split function is grouping same values of nativeResponseSent and nativeRequestReceived together.
input data | rename data.myList{}.* as * | eval mvfield=mvzip($id$,mvzip($nativeResponseSent$,$nativeRequestReceived$)) | fields mvfield | mvexpand mvfield | eval mvfield=split(mvfield,",") | eval id=mvindex(mvfield,0) | eval nativeResponseSent=mvindex(mvfield,1) | eval nativeRequestReceived=mvindex(mvfield,2) | stats sum(nativeResponseSent) sum(nativeRequestReceived) by id
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-28-2018
02:30 PM
@developer_de, what is the desired output? Following is the output I get when I try the following run anywhere search with the data similar to that provided by you.
id nativeResponseSent nativeRequestReceived
180528_090129 3 1
180528_090203 1 2
Following is the run anywhere search with dummy data as per the question:
| makeresults
| eval _raw="{
\"ts\":1527498793267,
\"version\":\"1.12.7\",
\"data\":{
\"myList\":[
{
\"id\":\"180528_090203\",
\"nativeRequestReceived\":2,
\"nativeResponseSent\":1
},
{
\"id\":\"180528_090129\",
\"nativeRequestReceived\":1,
\"nativeResponseSent\":3
}
],
\"freemem\":6534152192
},
\"time\":\"2018-05-28T09:13:13.267Z\",
\"v\":0
}"
| spath
| rename data.myList{}.* as *
| eval mvfield=mvzip(id,mvzip(nativeResponseSent,nativeRequestReceived))
| fields - _*
| fields mvfield
| mvexpand mvfield
| makemv mvfield delim=","
| eval id=mvindex(mvfield,0), nativeResponseSent=mvindex(mvfield,1), nativeRequestReceived=mvindex(mvfield,2)
| fields - mvfield
| stats sum(nativeResponseSent) as nativeResponseSent sum(nativeRequestReceived) as nativeRequestReceived by id
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-28-2018
02:30 PM
@developer_de, what is the desired output? Following is the output I get when I try the following run anywhere search with the data similar to that provided by you.
id nativeResponseSent nativeRequestReceived
180528_090129 3 1
180528_090203 1 2
Following is the run anywhere search with dummy data as per the question:
| makeresults
| eval _raw="{
\"ts\":1527498793267,
\"version\":\"1.12.7\",
\"data\":{
\"myList\":[
{
\"id\":\"180528_090203\",
\"nativeRequestReceived\":2,
\"nativeResponseSent\":1
},
{
\"id\":\"180528_090129\",
\"nativeRequestReceived\":1,
\"nativeResponseSent\":3
}
],
\"freemem\":6534152192
},
\"time\":\"2018-05-28T09:13:13.267Z\",
\"v\":0
}"
| spath
| rename data.myList{}.* as *
| eval mvfield=mvzip(id,mvzip(nativeResponseSent,nativeRequestReceived))
| fields - _*
| fields mvfield
| mvexpand mvfield
| makemv mvfield delim=","
| eval id=mvindex(mvfield,0), nativeResponseSent=mvindex(mvfield,1), nativeRequestReceived=mvindex(mvfield,2)
| fields - mvfield
| stats sum(nativeResponseSent) as nativeResponseSent sum(nativeRequestReceived) as nativeRequestReceived by id
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
developer_de
New Member
05-28-2018
03:18 PM
It works fine .. thanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-28-2018
10:13 PM
@developer_de I have converted my comment to answer. Please accept to mark this as answered.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
