Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Query to form a table with multiple JSON fields

shashaikhhh
Explorer
‎06-16-2022 06:58 AM

Below is my splunk raw event data

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\"",
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

I need count of cloudfront-viewer-country and sec-ch-ua-platform for each Origin

Please help.

Expected Result:

OriginPlatformPlatform CountCountryCountry Count
https://www.site1.comAndroid10US22
 macOS12UK3
 Windows6AU1
https://www.site2.comAndroid4US8
 macOS4UK1
 Windows2AU1
     
Labels (3)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 08:38 AM

Please clarify your requirement.

What if site1 had only 2 countries, or site2 had an extra platform, what would your expected / desired result look like then?

Btw, your JSON example isn't valid JSON (there is a spurious comma after Android.

Reply

shashaikhhh
Explorer
‎06-16-2022 08:54 AM

If site1 has only 2 countries and site2 has one extra platform, then the expected result should be like below.

OriginPlatformPlatform CountCountryCountry Count
https://www.site1.comAndroid10US22
 macOS12UK3
 Windows6  
https://www.site2.comAndroid4US8
 macOS4UK1
 Windows2AU1
   IND5
0 Karma
Reply

shashaikhhh
Explorer
‎06-16-2022 08:50 AM

If site1 has only 2 countries, then we need to display 2 records.


Updated Splunk event data:
{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "US",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Android\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

============

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "UK",
"origin": "https://www.site1.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

=========================

{
"additional": {
"method": "POST",
"url": "/api/resource/getContentEditorData",
"headers": {
"cloudfront-viewer-country": "AU",
"origin": "https://www.site2.com",
"sec-ch-ua-platform": "\"Windows\""
}
},
"level": "notice",
"message": "INCOMING REQUEST: POST /api/resource/getContentEditorData"
}

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...