Search help - find total sum of lengths of array

ys2119 · ‎10-27-2021

My current search returns a series of events like:

{'field1' : {'field2' : [obj1, obj2, obj3]}}

{'field1' : {'field2' : [obj4, obj5]}}

{'field1' : {'field2' : [obj6]}}

I want to return the total sum of the lengths of the field1.field2 lists - in this case, would be 3 + 2 + 1 = 6

Can anyone help me with an easy way to do this?

somesoni2 · ‎10-27-2021

Are the fields (field1 and field2) already extracted?

ys2119 · ‎10-27-2021

No, I just have the query (CURRENT_QUERY) that returns that list of events, but I still need to extract the inner list

And I think stats count(field1.field2) will get the length of the array..but not sure how to return a single number for the total sum of lengths

I also tried using spath like - spath output=myarray path=field1.field2{} but not sure what to do with it

somesoni2 · ‎10-27-2021

Can you list the name of fields (exact name) and sample values (output of simple search like "index=foo sourcetype=bar | head 1 | table field1 field1.field2{}")?

You can basically use "eval - split" on field2 by comma (which will give a multivalued field) and then use mvcount function to get the count of values in the resulting multivalued field).

Search help - find total sum of lengths of array

eval

fields

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Search help - find total sum of lengths of array

eval

fields

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers