Several pointers about asking questions: When sharing structured data, please click "Raw text" before copying from event window. Splunk's formatted display creates hurdle for volunteers to reverse...
See more...
Several pointers about asking questions: When sharing structured data, please click "Raw text" before copying from event window. Splunk's formatted display creates hurdle for volunteers to reverse. If you expect people to help read some SPL code you illustrate, your illustrated data should include relevant details used in your code. For example, your illustration does not give indication of message.ssoType, message.incomingRequest.partner, etc. (In the following, I will assume that they are flat paths that require no special treatment.) The key to solving your problem is to note that JSON node message.backendCalls is an array. In SPL, the flattened JSON array is denoted with a pair of curly brackets, i.e., message.backendCalls{}. In addition, IF the raw events has a structure similar to your illustration, message.incomingRequest.partner, message.backendCalls{}.*, etc., should have already been extracted by Splunk at search time. There is no need for spath. Further more, placing filters in index search is more efficient than putting them downstream. Combining these pointers, you should consider index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
message.ssoType="Outbound" message.incomingRequest.partner = *
| rename message.incomingRequest.partner as "SSO_Partner"
| stats distinct_count("UUID") as Count by SSO_Partner, Membership_LOB, message.backendCalls{}.responseCode Your sample data would result in SSO_Partner Membership_LOB message.backendCalls{}.responseCode Count FBI CIA 200 1 Here is a reverse engineered emulation for you to play with and compare with real data | makeresults
| eval _raw = "{
\"@timestamp\": \"2024-12-25T08:10:57.764Z\",
\"Membership_Category\": \"*******\",
\"Membership_LOB\": \"CIA\",
\"UUID\": \"********\",
\"adminId\":\"*************\",
\"adminLevel\": \"*************\",
\"correlation-id\": \"*************\",
\"dd.env\":\"*************\",
\"dd.service\":\"*************\",
\"dd.span_id\":\"*************\",
\"dd.trace_id\":\"*************\",
\"dd.version\":\"*************\",
\"logger\":\"*************\",
\"message\": {
\"incomingRequest\": {
\"partner\": \"FBI\"
},
\"ssoType\": \"Outbound\",
\"backendCalls\": [
{
\"elapsedTime\": \"****\",
\"endPoint\":\"*************\",
\"requestObject\": {
},
\"responseCode\": 200,
\"responseObject\": {
}
}
]
}
}"
| spath
```
the above emulates
index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
message.ssoType="Outbound" message.incomingRequest.partner = *
```