Search help - find total sum of lengths of array

ys2119 · ‎10-27-2021

My current search returns a series of events like:

{'field1' : {'field2' : [obj1, obj2, obj3]}}

{'field1' : {'field2' : [obj4, obj5]}}

{'field1' : {'field2' : [obj6]}}

I want to return the total sum of the lengths of the field1.field2 lists - in this case, would be 3 + 2 + 1 = 6

Can anyone help me with an easy way to do this?

somesoni2 · ‎10-27-2021

Are the fields (field1 and field2) already extracted?

ys2119 · ‎10-27-2021

No, I just have the query (CURRENT_QUERY) that returns that list of events, but I still need to extract the inner list

And I think stats count(field1.field2) will get the length of the array..but not sure how to return a single number for the total sum of lengths

I also tried using spath like - spath output=myarray path=field1.field2{} but not sure what to do with it

somesoni2 · ‎10-27-2021

Can you list the name of fields (exact name) and sample values (output of simple search like "index=foo sourcetype=bar | head 1 | table field1 field1.field2{}")?

You can basically use "eval - split" on field2 by comma (which will give a multivalued field) and then use mvcount function to get the count of values in the resulting multivalued field).

Search help - find total sum of lengths of array

eval

fields

other

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!