How can we write the Splunk Query to find subField2 is present or not and if present get the counts of all subFiled2

Question

{ index:"myIndex", field1: "myfield1", field2: {"subField1":"mySubField1","subField2":145,"subField3":500}, ... .. . }

SPL : index:"myIndex" eval result = if(field.subField2) ..... is the dot operator works in SPL ?

score 0 · Answer 1 · answered Apr 22 '20 at 10:34

0

I am assuming your data is in JSON format. If so, you can use spath to extract fields from your structured data. Then just check if the field is present or not with isnotnull

index="myIndex" | spath | where isnotnull(field2.subField2)

answered Apr 22 '20 at 10:34

Simon Duff

2,631
2
7
15

score 0 · Answer 2 · answered Apr 22 '20 at 16:26

0

Presuming your data is in JSON format, this should do it:

index=myIndex sourcetype=srctp field2{}.subField2=*

If those are multivalue fields, you'll need to do an mvexpand first

answered Apr 22 '20 at 16:26

warren

32,620
21
85
124

How can we write the Splunk Query to find subField2 is present or not and if present get the counts of all subFiled2

2 Answers2