Splunk Search

Getting Count of specific value in json formatted log

kahlerb
Explorer

I have a json splunk log, and I need to get the count of the number of times the "message" field is equal to "Total request time". This same template is used for most all the logs, so the "message" field can have several different values.

{
api: my-fancy-api
app: MyApp
category: RESP_TIME
message: Total request time
reference_id: MyID123123
session_id: 1442877284-39497
time: 09-21-2015 23:14:45.023 +0000
total_request_time: 0.557
units: seconds
}

EDIT:
Ultimately I will need to get the count of multiple values for "message" in the same search string. One count for "Total request time" and then another count for "Sub-request time" etc.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you've setup KV_MODE=json to correctly parse the fields from your json data, try something like this

your base search message="Total request time" | stats count
0 Karma

kahlerb
Explorer

Thank you for the quick answer... please see the clarification I added with the edit.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...