Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with Splunk Query

vinoths_82
Explorer
‎08-24-2020 03:06 PM

Hi

What I have:

I have a list of events with multiple <Key,Value> pairs. For eg., like below

event1:attributes:{"test__c":90, "abc":10,"now__c":10 }

event2:attributes:{"bcf:90, abc:10}

event1:attributes:{"testing__c":10, "abc":10,"now__c":100 }

As you can, some rows have attributes fields with a substr "__c" and the rest do not. 

What I want:

Now, I want to iterate over a list of events and calculate a total of all field values (fields which has substr __c) and display that in a table format like below

Total__C

100. (Since event 1 has 2 __c substr fields, their values add to 100)

0 (event2 has no __c fields, so default to 0)

110 (event3 has 2 fields)

What I tried:

I used foreach like below for 1 event, but I am not sure how to do it for all events iteratively.

fields * | foreach *__c [ eval TotalCustom = TotalCustom + '<<FIELD>>'] | table TotalCustom

Can someone help me with this?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2020 06:48 AM

Your solution was very close and the fix was not obvious.  This run-anywhere example works with your sample data, however.

| makeresults | eval data="event1:attributes:{\"test__c\":90, \"abc\":10, \"now__c\":10 }|
event2:attributes:{\"bcf\":90, \"abc\":10 }|
event1:attributes:{\"testing__c\":10, \"abc\":10, \"now__c\":100 }" | eval data=split(data,"|") | mvexpand data | eval _raw=data | extract pairdelim="{, ", kvdelim=":"
```Above just defines test data```
| eval TotalCustom = 0 
| foreach *__c [ eval TotalCustom = TotalCustom + coalesce('<<FIELD>>', 0)]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2020 06:48 AM

Your solution was very close and the fix was not obvious.  This run-anywhere example works with your sample data, however.

| makeresults | eval data="event1:attributes:{\"test__c\":90, \"abc\":10, \"now__c\":10 }|
event2:attributes:{\"bcf\":90, \"abc\":10 }|
event1:attributes:{\"testing__c\":10, \"abc\":10, \"now__c\":100 }" | eval data=split(data,"|") | mvexpand data | eval _raw=data | extract pairdelim="{, ", kvdelim=":"
```Above just defines test data```
| eval TotalCustom = 0 
| foreach *__c [ eval TotalCustom = TotalCustom + coalesce('<<FIELD>>', 0)]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vinoths_82
Explorer
‎08-25-2020 05:04 PM

Thanks for the answer. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...