Splunk query with conditions of an object

Question

I need a Splunk query to fetch the counts of each field used in my dashboard.

Splunk sample data for each search is like this

timestamp="2022-11-07 02:06:38.427"
 
loglevel="INFO" pid="1"

thread="http-nio-8080-exec-10"

appname="my-test-app"  

URI="/testapp/v1/mytest-app/dashboard-service" 

RequestPayload="{\"name\":\"test\",\"number\":\"\"}"

What would a search look like to print a table with the number of times the name and number is used to search data (at a time only either number/name data can be given by user).

Expected output in table format with counts for Name and Number

score 1 · Answer 1 · answered Nov 07 '22 at 10:02

@Hanuman Can you please try this? You can change regular expression as per your events and match with JSON data.

YOUR_SEARCH | rex field=_raw "RequestPayload=\"(?<data>.*[}])\""
| spath input=data
|table name number

My Sample Search:

| makeresults | eval _raw="*timestamp=\"2022-11-07 02:06:38.427\" loglevel=\"INFO\" pid=\"1\" thread=\"http-nio-8080-exec-10\" appname=\"my-test-app\" URI=\"/testapp/v1/mytest-app/dashboard-service\" RequestPayload=\"{\"name\":\"test\",\"number\":\"1\"}\"*"
| rex field=_raw "RequestPayload=\"(?<data>.*[}])\""
| spath input=data
|table name number

Screen

Thanks

Splunk query with conditions of an object

1 Answers1