How to count the number of event based on JSON fie...

samgol · ‎02-01-2021

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:

data = {a: "b"}
data= {d: "x", h: "e"}

now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter. So I want to count JSON that has similar keys.

tscroggins · ‎02-20-2021

@samgol

You can get an approximate count by JSON key schema using something like this:

Note that two schemas with the same field counts will be combined into a single set.

Another possibility is removing values and normalizing them to "" in data before grouping:

| eval data=replace(data, "\" ?: ?(?:\"(?:\\\"|.*?)\"|[-\d\.eE]+)", "\":\"\"")
| stats count by data

{"a": "b"} => {"a":""}
{"d": "x", "h": "e"} => {"d":"", "h":""}

data count
{"a":""} 1
{"d":"", "h":""} 1

How to count the number of event based on JSON field structure/keys in Splunk

field extraction

fields

regex

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!