Splunk Search

How to count unique elements of an unstructured array?

aj_54321
Explorer

Hi! I have unstructured log in the following format, and I can't seem to figure out how I can count the number of occurrences for each key in "keys"

 

log: I, [2022-03-25T18:29:43.325002 #55]  INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:my_key5, size:6309"]}]}

log: I, [2022-03-25T18:29:43.324043 #56]  INFO -- : {:entry=>[{:op=>"operation2", :keys=>["key:my_key6, size:159", "key:my_key5, size:6309", "key:my_key7, size:151", "key:my_key8, size:132"]}]}

log: I, [2022-03-25T18:29:43.322759 #57]  INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:smy_key9, size:4"]}]}

log: I, [2022-03-25T18:29:43.317421 #58]  INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:my_key6, size:159"]}]}


log: I, [2022-03-25T18:29:43.311789 #55]  INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:7, size:151"]}]}

 

 What I'm trying to get is the count of each key in "keys[]". For example, the above would yield the following result:

 

 

my_key5  2
my_key6  2
my_key7  1
my_key8  1
my_key9  1

 

 

Ideally I can display the "size" of each key as well, like a table or something. But that might be too complicated.

 

What I have so far is only a query that can count the number of occurrences for each operation:

 

| rex field=log "op=>\"(?<operation>\w*)\"" | stats count by operation

 

 but not sure how I can count the unique keys inside the array.

Labels (5)
Tags (2)
0 Karma
1 Solution

Stefanie
Builder

Try this? 

 

(your search) | rex (?<keys>"my_key\d") |stats count by keys 

 

View solution in original post

Stefanie
Builder

Try this? 

 

(your search) | rex (?<keys>"my_key\d") |stats count by keys 

 

Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...