How to count the number of event based on JSON fie...

samgol · ‎02-01-2021

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:

data = {a: "b"}
data= {d: "x", h: "e"}

now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter. So I want to count JSON that has similar keys.

tscroggins · ‎02-20-2021

@samgol

You can get an approximate count by JSON key schema using something like this:

Note that two schemas with the same field counts will be combined into a single set.

Another possibility is removing values and normalizing them to "" in data before grouping:

| eval data=replace(data, "\" ?: ?(?:\"(?:\\\"|.*?)\"|[-\d\.eE]+)", "\":\"\"")
| stats count by data

{"a": "b"} => {"a":""}
{"d": "x", "h": "e"} => {"d":"", "h":""}

data count
{"a":""} 1
{"d":"", "h":""} 1

How to count the number of event based on JSON field structure/keys in Splunk

field extraction

fields

regex

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation