Solved: How to count unique elements of an unstructured ar...

aj_54321 · ‎03-25-2022

Hi! I have unstructured log in the following format, and I can't seem to figure out how I can count the number of occurrences for each key in "keys"

log: I, [2022-03-25T18:29:43.325002 #55]  INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:my_key5, size:6309"]}]}

log: I, [2022-03-25T18:29:43.324043 #56]  INFO -- : {:entry=>[{:op=>"operation2", :keys=>["key:my_key6, size:159", "key:my_key5, size:6309", "key:my_key7, size:151", "key:my_key8, size:132"]}]}

log: I, [2022-03-25T18:29:43.322759 #57]  INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:smy_key9, size:4"]}]}

log: I, [2022-03-25T18:29:43.317421 #58]  INFO -- : {:entry=>[{:op=>"operation3", :keys=>["key:my_key6, size:159"]}]}


log: I, [2022-03-25T18:29:43.311789 #55]  INFO -- : {:entry=>[{:op=>"operation1", :keys=>["key:7, size:151"]}]}

What I'm trying to get is the count of each key in "keys[]". For example, the above would yield the following result:

my_key5  2
my_key6  2
my_key7  1
my_key8  1
my_key9  1

Ideally I can display the "size" of each key as well, like a table or something. But that might be too complicated.

What I have so far is only a query that can count the number of occurrences for each operation:

| rex field=log "op=>\"(?<operation>\w*)\"" | stats count by operation

but not sure how I can count the unique keys inside the array.

Stefanie · ‎03-25-2022

Try this?

(your search) | rex (?<keys>"my_key\d") |stats count by keys

View solution in original post

Stefanie · ‎03-25-2022

Try this?

(your search) | rex (?<keys>"my_key\d") |stats count by keys

How to count unique elements of an unstructured array?

chart

count

regex

rex

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!