Splunk Search

How to count the number of event based on JSON field structure/keys in Splunk

samgol
New Member

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:

data = {a: "b"}
data= {d: "x", h: "e"}

 

now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter.  So I want to count JSON that has similar keys.

Labels (4)
0 Karma

tscroggins
Influencer

@samgol 

You can get an approximate count by JSON key schema using something like this:

| fields data
| spath input=data
| fields - data
| foreach * [ eval <<FIELD>>="" ]
| fieldsummary
| fields field count
| mvcombine field

Note that two schemas with the same field counts will be combined into a single set.

Another possibility is removing values and normalizing them to "" in data before grouping:

| eval data=replace(data, "\" ?: ?(?:\"(?:\\\"|.*?)\"|[-\d\.eE]+)", "\":\"\"")
| stats count by data

{"a": "b"} => {"a":""}
{"d": "x", "h": "e"} => {"d":"", "h":""}

data    count
{"a":""}    1
{"d":"", "h":""}    1

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...