Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I sum similarly named fields from nested JSON?

unclethan
Path Finder
‎08-09-2016 04:52 PM

I have JSON events with a sub list and want to sum similarly named fields for each event.

{ "id": "theid", "subdata": [ { "subname": "s1", "key1_foo": 10, "key1_bar": 12, "key2_foo": 100, "key2_bar": 101}, {"subname": "s2", "key1_foo ....

I would like to chart max(sum_of_key1*), max(sum_of_key2*) by the id
and also by subname.

Any info would be appreciated.

Thanks

Tags (3)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-10-2016 03:05 PM

Replace the ... with the root searches:

...
| spath 
| rename subdata{}.key1* as key1*
| stats sum(key1*) as key1* 
| addtotals key1* 
| append 
 [ 
 search ... 
 | spath 
 | rename subdata{}.key2* as key2*
 | stats sum(key2*) as key2* 
 | addtotals key2* 
 ] 
| transpose
0 Karma
Reply

sundareshr
Legend
‎08-10-2016 01:25 PM

If you have your data indexed as JSON, and all fields are extracted, this shoud work

| rename subdata{}.* as *
| stats sum(key1_*) as sum_key1_* sum(key2_*) as sum_key2_*
0 Karma
Reply

unclethan
Path Finder
‎08-10-2016 01:31 PM

as I mentioned above, the summation is meant to be across similar keys within the json object, not per-key, across events.

0 Karma
Reply

javiergn
Super Champion
‎08-10-2016 03:54 AM

Is this what you are looking for? If not please post a few samples and a more detailed JSON file.

your base search here
| spath input=yourJsonField
| stats sum(subdata*) as subdata* by id
| stats max(subdata*) as subdata*

Example with some data:

| makeresults
| eval _raw = "
{ \"id\": \"theid\", \"subdata\": [ 
  { \"subname\": \"s1\", \"key1_foo\": 10, \"key1_bar\": 12, \"key2_foo\": 100, \"key2_bar\": 101}, 
  {\"subname\": \"s2\", \"key1_foo\": 20, \"key1_bar\": 24, \"key2_foo\": 200, \"key2_bar\": 202}
]
}
"
| spath input=_raw
| stats sum(subdata*) as subdata* by id
| stats max(subdata*) as subdata*

Output:
alt text

Preview file
1 KB
0 Karma
Reply

unclethan
Path Finder
‎08-10-2016 01:08 PM

Sorry I wasn't clear.
Your example gives a result per key1_* field, I need a sum over all the key1_fields, named key1, and the same for key2.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-09-2016 06:18 PM

This is my go to article for this use case:

https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Spath#Example_3:_Extract_and_expa...

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...