0

I have a log with payload something like this:

"Stats":[        { 
           errors: 0
           type: "Disc"
           success: 878
         },
         {
           errors: 21
           type: "cronJob"
           success: 25
         },
         { 
           errors: 0
           type: "File"
           success: 8787
         },
         { 
           errors: 15
           type: "Unknown"
           success: 0
         }]

I need to get the get rid of the "Unknown" type object and get the sum of the remaining values

I am able to get the sum of all errors but for the events with type Unknown I am not sure how to do that. Could you please help?

<search>|rename Stats{}.type= as type|eventstats sum(errors)  as ErrorCount

This is my current seach without excluding Unknown type. how to I incorporate the logic to exclude Unknown counts

Joe
  • 115
  • 4
  • 17

2 Answers2

3
<search>|rename Stats{}.type= as type | where type != "Unknown" | eventstats sum(errors)  as ErrorCount
Simon Duff
  • 2,631
  • 2
  • 7
  • 15
  • 1
    Please don't post only code as answer, but also provide an explanation what your code does and how it solves the problem of the question. Answers with an explanation are usually more helpful and of better quality, and are more likely to attract upvotes. – Mark Rotteveel Aug 07 '20 at 06:55
  • this doesn't work - it will eliminate all events that have "Unknown" in the `Stats{}.type` field .. which is not what you want. And you cannot do `rename Stats{}.type= as type` - you'll get a syntax error. – warren Aug 10 '20 at 14:24
0

The JSON payload is being treated as a multivalue field

So you need to mvexpand it before filtering-out what you want to ignore

Try something like this:

index=ndx sourcetype=srctp Stats{}.type=*
| rename Stats{}.type as type
| mvexpand type
| search NOT type="Unknown"
| ...
warren
  • 32,620
  • 21
  • 85
  • 124