Hello Community, I am fairly new to Splunk, and I am struggling with this. Here is my raw event: these are discrepancy events that show a reported discrepancy in the two JSONs (for the context of this problem, those JSONs are not necessary to be known). Assuming there are n events similar to what we have in the sample JSON. {
"severity": "INFO",
"time": "2023-07-09 18:53:53.930",
"Stats": {
"discrepancy" : 10
},
"discrepancyDetails": {
"record/0": "#DEL",
"record/1": "#DEL",
"recordD": "#DEL",
"recordX": "expected => actual",
"recordY": "someExpectedVal => null", <-- actual value is null in this case
"recordN": "someExpectedValN => null"
}
} Stats.discrepancy provides the total count, while discrepancyDetails provides the actual discrepancy. I want to fetch some statistics from this, which involve the following details: All the unique discrepancyDetails with their respective counts. Before finding the count, I want to remove all numerical characters from the key. For example, in the same JSON, we have two keys in the discrepancyDetails: "record/1" and "record/2". I want to treat these keys as "record/" and replace the numeric strings with an empty value. figure out all the keys with null actual (from sample json "expected => actual") values and "#DEL" (deleted) values I was able to obtain the unique count of all the keys using the following query. index="demo1" sourcetype="demo2"
| search discrepancyDetails AND Stats
| spath "Stats.discrepancy"
| search "Stats.discrepancy" > 0
| stats count(discrepancyDetails.*) as discrepancyDetails.*
| transpose I am unable to figure out points 2 and 3 from the above requirements. Desired output for requirement 2 considering above sample json: Unique_key count record/ 2 recordD 1 recordX 1 recordY 1 recordN 1 Desired output for requirement 3 considering above sample json: Unique_key null or #DEL count record/ recordD #DEL 2 recordY recordN null 2
... View more