Hi *,
I have some trouble with Splunk stats functions :).
I have a JSONArray event like this and I need to sum all counts grouped by status.
When I execute the search below, I get the following result.
What is wrong?
Result
sum(responces{}.count):
2xx = 2160
4xx = 405
Json Event
{ "responces": [
{ "count": 19, "status": "2xx" },
{ "count": 7, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 4, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 2, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 40, "status": "2xx" },
{ "count": 19, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 11, "status": "2xx" },
{ "count": 1, "status": "2xx" },
{ "count": 10, "status": "2xx" },
{ "count": 1, "status": "4xx" },
{ "count": 2, "status": "4xx" },
{ "count": 12, "status": "4xx" }
] }
Search
search XYZ | spath input=json | stats sum(responces{}.count) by responces{}.status
I use Splunk enterprise
Splunk-Version 6.4.0
Splunk-Build f2c836328108
... View more