This is my first Splunk question bear with me on my explanation..
I have 70 events that all have multiple nested jsons in each event. The framework of two events looks something like this:
event1:{
"tests": [
{
"expectation": "true"
"reality":" true"
"test_statistics": {
"components": "foo, bar"
}
}
{
"expectation": "true"
"reality": "false"
"test_statistics": {
"components": "foo, bar, baz"
}
}
event2:{
"tests": [
{
"expectation": "true"
"reality": "true"
"test_statistics": {
"components": "foo, bar, baz"
}
}
{
"expectation": "true"
"reality": "true"
"test_statistics": {
"components": "foo, bar"
}
}
Ultimately, I want a query that will count up each component based on the fact that expectation=reality. Therefore, my condition should be that true==true (or in other words.. expectation==reality).
For my end goal I'd like to get the true tests grouped by components and the total tests grouped by components. So that, I could then generate a table that matches this format (bold is the column headers)-->
component | if(True==True) | Total Count
foo | 3 | 4
bar | 3 | 4
baz | 1 | 4
... View more