Hi.. I have json data such as
{"result":
[
{"EventData.mlsnumber": "1039455", "result": 1},
{"EventData.mlsnumber": "1189814", "result": 1},
{"EventData.mlsnumber": "1218148", "result": 1},
{"EventData.mlsnumber": "1247031", "result": 4},
{"EventData.mlsnumber": "1290591", "result": 1},
{"EventData.mlsnumber": "4629170", "result": 1},
{"EventData.mlsnumber": "4629729", "result": 1},
]
}
I want to display EventData.mlsnumber
in an MLS_Number column and result
in a Count column. I have gone through this website http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/spath but did not get any single output.
For your information, I am getting the result from the REST API into the Splunk search. Can you please help me with the search?
The search started as: source="rest://mls_number"
which gives results when I perform search, so what should I add after that?
Thanks!!
So a simple rename
will work.
source="rest://mls_number" | rename result{}.EventData.mlsnumber AS MLS_Number result{}.result AS Count
But, a caveat here is that the fields are multivalue and won't expand correctly. when you try to do stats
on the mls numbers.
So after the search above, do this:
eval atmp = mvzip(MLS_Number,Count) | mvexpand atmp | eval a=split(atmp,",")|eval Count = mvindex(a,1)|eval MLS_Number=mvindex(a,0) | <other stats>
The other stats
will allow you to do time based calculations by MLS_Number
.
So a simple rename
will work.
source="rest://mls_number" | rename result{}.EventData.mlsnumber AS MLS_Number result{}.result AS Count
But, a caveat here is that the fields are multivalue and won't expand correctly. when you try to do stats
on the mls numbers.
So after the search above, do this:
eval atmp = mvzip(MLS_Number,Count) | mvexpand atmp | eval a=split(atmp,",")|eval Count = mvindex(a,1)|eval MLS_Number=mvindex(a,0) | <other stats>
The other stats
will allow you to do time based calculations by MLS_Number
.