How to count the number of event based on JSON field structure in Splunk

Question

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:

data = {a: "b"}
data= {d: "x", h: "e"} 
...

now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter.

is this not clear? I just care about data field in my events, which can have 3 different JSON data. different keys/structure — Samira Arabgol, Feb 03 '21 at 18:18

score 0 · Answer 1 · answered Feb 03 '21 at 22:05

0

Try one of these 2:

index=ndx sourcetype=srctp data=*
| stats dc(data) as unique_data

Or

index=ndx sourcetype=srctp data=*
| stats values(data) as data_vals

answered Feb 03 '21 at 22:05

warren

32,620
21
85
124

How to count the number of event based on JSON field structure in Splunk

1 Answers1