I have a response that looks like this:
{"meta":{"code":400},"flag1":false,"flag2":false,"flag3":true}
There are more than 3 flags, but this is an example.
Assuming that there is only one that is true in each response, I want to get a count of which flag is true the most times, in descending order.
You should not use foreach *. tag::event is a meta field and foreach will not handle those. It is quite obvious that your data also contain other irrelevant fields. If you know those tag names, enumerate it. (Read the document.)
| foreach flag1 flag2 flag3 ... flagX
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Alternatively, you probably do not care about other fields. Remove them so foreach will not be bombed.
| fields loggingObject.responseJson
| spath input=loggingObject.responseJson
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Something like
| foreach flag*
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
The wildcard expression will depend on actual field names. (Worst comes you iterate over non-flag fields; alternatively, you enumerate all possible flags.) See foreach.
Thanks. My response object is extracted to responseJson.
How do I iterate over any possible field name in responseJson? What am I doing wrong below?
| eval responseJson='loggingObject.responseJson'
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Do you mean to say that Splunk gives you a field named 'loggingObject.responseJson' with that JSON object as value? In that case, you need to first extract from JSON with spath. (A newer alternative is fromjson.)
| spath input=loggingObject.responseJson
| foreach flag*
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Here is an emulation you can play with and compare with real data
| makeresults
| fields - _time
| eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true}"
``` data emulation above ```
Thanks.
When I hardcode data like you've done, and I add escape backslash quotes, it works.
| makeresults
| fields - _time
| eval loggingObject.responseJson = "{\"meta\":{\"code\":400},\"flag1\":false,\"flag2\":false,\"flag3\":true,\"flag3status\":\"3\",\"flag4\":false,\"flag5\":false,\"flag6\":false,\"flag7\":false, \"flag7reason\":\"xyz\"}"
| spath input=loggingObject.responseJson
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
When I use my real data results, I do get results, but also some splunk errors:
| eval responseJson='loggingObject.responseJson'
| spath input=responseJson
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Errors:
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap010,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'tag::eventtype'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.className'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap011,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.methodParams{}.value'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.user-agent'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap012,shsplnkprnap013] Failed to parse templatized search for field 'loggingObject.requestHeaders.x-forwarded-for'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'Device-ID'
[shsplnkprnap008,shsplnkprnap009,shsplnkprnap013] Failed to parse templatized search for field 'valid-beacon-dept-count'
[shsplnkprnap009] Failed to parse templatized search for field 'steps{}'
I am able to do something like this without splunk errors;
| eval responseJson='loggingObject.responseJson'
| stats count by responseJson
You should not use foreach *. tag::event is a meta field and foreach will not handle those. It is quite obvious that your data also contain other irrelevant fields. If you know those tag names, enumerate it. (Read the document.)
| foreach flag1 flag2 flag3 ... flagX
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag
Alternatively, you probably do not care about other fields. Remove them so foreach will not be bombed.
| fields loggingObject.responseJson
| spath input=loggingObject.responseJson
| foreach *
[eval trueflag = mvappend(trueflag, if(<<FIELD>> == "true", "<<FIELD>>", null()))]
| stats count by trueflag