Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Query to form a table with multiple JSON fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Query to form a table with multiple JSON fields
Below is my splunk raw event data
{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\"",
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}
I need count of cloudfront-viewer-country and sec-ch-ua-platform for each Origin
Please help.
Expected Result:
| Origin | Platform | Platform Count | Country | Country Count |
| https://www.site1.com | Android | 10 | US | 22 |
| macOS | 12 | UK | 3 | |
| Windows | 6 | AU | 1 | |
| https://www.site2.com | Android | 4 | US | 8 |
| macOS | 4 | UK | 1 | |
| Windows | 2 | AU | 1 | |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please clarify your requirement.
What if site1 had only 2 countries, or site2 had an extra platform, what would your expected / desired result look like then?
Btw, your JSON example isn't valid JSON (there is a spurious comma after Android.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If site1 has only 2 countries and site2 has one extra platform, then the expected result should be like below.
| Origin | Platform | Platform Count | Country | Country Count |
| https://www.site1.com | Android | 10 | US | 22 |
| macOS | 12 | UK | 3 | |
| Windows | 6 | |||
| https://www.site2.com | Android | 4 | US | 8 |
| macOS | 4 | UK | 1 | |
| Windows | 2 | AU | 1 | |
| IND | 5 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If site1 has only 2 countries, then we need to display 2 records.
Updated Splunk event data:
{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}
============
{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "UK",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}
=========================
{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "AU",
"origin": "https://www.site2.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
