×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
david_martinez
Engager
Member since: ‎01-22-2013
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎01-22-2013
Activity Feed
Topics I've Started
View All

Re: Json Query

by in Getting Data In
‎12-06-2019 11:00 PM
‎12-06-2019 11:00 PM
| makeresults | eval _raw="{\"_data\":{\"services\":[{\"id\":\"FB00000\",\"users\":[100,122]},{\"id\":\"FB11111\",\"users\":[404,797]}],\"socialNetwork\":\"FB\"},\"_timestamp\":\"01-02-02013T01:00:04.582+0100\",\"_type\":\"ServiceReport\"}" | spath path=_data.services{} output=data | kv | rename data.services{}.* as * | stats count by data.socialNetwork timestamp type data | spath input=data | stats count values(*) as * by users{} | rename users{} as users, data.socialNetwork as socialNetwork | table id users socialNetwork timestamp type mvexpand gives "mvexpand output will be truncated due to excessive memory usage Because of this kind of problem, I thought of an expansion method that doesn't use mvexpand and mvzip . The point is that the field that becomes multivalue is extracted once and expanded without using mvexpand by stats . ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All