Splunk Search

Number of fields occurrence in json data

New Member

I have below data

`
{ [-]
context: { [+]
}
level: INFO
logger: x.x.x.xxx.service.xxxService
msg: Filtered statements for account XXXXX: DocumentReferences[references=[DocumentReference[reference=0000001,name=XXXXX2019,mimeType=APPLICATIONPDF,documentType=ANNUALSTATEMENT,creationDate=2019-11-18T13:37:13.000Z], DocumentReference[reference=0000002,name=XXXXX2018,mimeType=APPLICATIONPDF,documentType=ANNUALSTATEMENT,creationDate=2019-12-03T10:54:47.000Z], DocumentReference[reference=0000003,name=XXXXX2017,mimeType=APPLICATIONPDF,documentType=ANNUAL_STATEMENT,creationDate=2019-12-03T11:00:52.000Z]]]

}
`
I want to search more than one ANNUAL_STATEMENT occurrence . As above data have 3 statement then this result should return in table

Tags (3)
0 Karma

Contributor

Hi Govind,

You need to parse the JSON logs to achieve this.
To parse the logs - you need to trim down the events to make it as exact JSON Splunk expects.
Use regex or replace functionality for that.

You could use the below query after that.

|your_query
|search documentType="ANNUAL_STATEMENT"
|stats list (reference),list(name),list(mimeType),list(documentType),list(creationDate)
|where mvcount(documentType)>1
0 Karma

Communicator

Hi ,

try this

base query| spath | stats count(**documentType) as DocType, values(**reference) as Reference , values(**name) as Name by **msg| rex field=**msg "Filtered\sstatements\sfor\saccount\s(?P<AccountNo>[^\:]+)" | search DocType > 1 | table AccountNo , Name, Reference, DocType.

Here when we use spath , fields are automatically extracted . Choose the right field name that is under interesting fileds and put in above query and try .

Thanks
Anantha.

0 Karma