Solved: Grouping by items in an array

Maurice · ‎07-09-2021

Hi,

I'm hoping someone can help me out here.

I have a property(books) on each event which holds an array of objects.

I would like to group by books{}.name with count on y axis and create a bar chart.

I tried using top books{}.name but this does not seem to give the correct results, seems to miss out on some groups all together

{

books:[

{name: "book1"},

{name: "book2"},

{name: "book3"},

{name: "book1"},

]

}

Would you have an idea of how to fix this,

Kind Regards,

Maurice

ITWhisperer · ‎07-09-2021

Are you extracting the fields with spath first?

| makeresults 
| eval _raw="{
\"books\":[
{\"name\": \"book1\"},
{\"name\": \"book2\"},
{\"name\": \"book3\"},
{\"name\": \"book3\"},
{\"name\": \"book1\"},
{\"name\": \"book1\"},
      ]
}"
| spath
| top books{}.name

View solution in original post

ITWhisperer · ‎07-09-2021

Are you extracting the fields with spath first?

| makeresults 
| eval _raw="{
\"books\":[
{\"name\": \"book1\"},
{\"name\": \"book2\"},
{\"name\": \"book3\"},
{\"name\": \"book3\"},
{\"name\": \"book1\"},
{\"name\": \"book1\"},
      ]
}"
| spath
| top books{}.name

Maurice · ‎07-12-2021

Thanks a million for the reply.

It really helped focus me in the correct direction.

I ended up having to put an explicit spath before each of my search command that referenced one of the complex object properties.

similar to:

| spath books{}.name
| search books{}.name
| top books{}.name

Grouping by items in an array

JSON

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3