splunksplunk-query
How to evaluate a Splunk field which represents the length of another field?
I've loaded the following example file containing lines of JSON into Splunk:
{"duration":2134,"input":["foo","bar"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.14427-07:00"}
{"duration":997,"input":["baz"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.144526-07:00"}
Splunk has parsed these fields such that the input field is a list:
I would like to generate a table of the length of (number of elements in) the input and the duration field. Following https://docs.splunk.com/Documentation/StreamProcessor/standard/FunctionReference/List#length.28input.29, I've tried
msg="Processed input"
| eval N=length(input)
| table N, duration
but this yields no values for N:
What would be the correct way to determine N?
Solution
Use mvcount('input{}') in replace of length(input)
Edit: Put Single quotes around input{} as {,} are special characters.
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?