I have essentially the same problem. In my case, a "scenario" has multiple "slots", slots have multiple "widgets", and widgets have multiple "assets". I'm trying count the asset ID's per widget / scenario pair. (slots are not relevant in this query)
An input would look like this:
{
\"scenario\": \"webv1\",
\"slots\": [
{ \"name\" : \"slot1\",
\"widgets\": [
{ \"type\": \"A\",
\"assets\": [ { \"id\": \"d1\" },
{ \"id\": \"d2\" } ] }
]
},
{ \"name\" : \"slot2\",
\"widgets\": [
{ \"type\": \"B\",
\"assets\": [ { \"id\": \"d3\"} ] }
]
}
]
}
The single event appears in a table like this:
scenario widget asset-id
webv1 A d1
B d2
d3
I believe I need to expand the single event into one event per asset, and then count that asset-id by the scenario&widget it appears in. The table for the above event should look like this:
scenario widget asset-id
webv1 A d1
webv1 A d2
webv1 B d3
But mvexpand on the asset-ids gives
webv1 A d1
B
webv1 A d2
B
webv1 A d3
B
The problem is how can you associate A with d1 in one event and d2 in another, and B with d3 in a third?
Here is a bonus I just picked up for working on problems like this. You can put the JSON or text for your event directly into your splunk query without having to first retrieve it from somewhere. This lets you play around with the input very quickly. Just do this:
|stats count | fields -count
| eval response="
{
YOUR JSON GOES HERE, WITH QUOTES ESCAPED
\"scenario\": \"webv1\",
\"slots\": [
{ \"name\" : \"slot1\",
\"widgets\": [
{ \"type\": \"A\",
\"assets\": [ { \"id\": \"d1\" },
{ \"id\": \"d2\" } ] }
]
},
{ \"name\" : \"slot2\",
\"widgets\": [
{ \"type\": \"B\",
\"assets\": [ { \"id\": \"d3\"} ] }
]
}
]
}
"
| spath input=response
| search YOUR QUERY GOES HERE
... View more
