How to count the number of event based on JSON fie...

samgol · ‎02-01-2021

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:

data = {a: "b"}
data= {d: "x", h: "e"}

now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter. So I want to count JSON that has similar keys.

tscroggins · ‎02-20-2021

@samgol

You can get an approximate count by JSON key schema using something like this:

Note that two schemas with the same field counts will be combined into a single set.

Another possibility is removing values and normalizing them to "" in data before grouping:

| eval data=replace(data, "\" ?: ?(?:\"(?:\\\"|.*?)\"|[-\d\.eE]+)", "\":\"\"")
| stats count by data

{"a": "b"} => {"a":""}
{"d": "x", "h": "e"} => {"d":"", "h":""}

data count
{"a":""} 1
{"d":"", "h":""} 1

How to count the number of event based on JSON field structure/keys in Splunk

field extraction

fields

regex

stats

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?