Given below is a snippet of splunk event. My requirement is to find all the occurrences of "isOutstanding": true. Here the point to note is that one event may/may not have multiple occurrences. Need to find the total count from multiple events over a period of time.
{
\"school\": {
\"schoolId\": \"1\",
\"schoolName\": \"SchoolX\",
\"schoolType\": \"private\",
\"students\": [
{
\"id\": \"1\",
\"isOutstanding\": true,
},
{
\"id\": \"2\",
\"isOutstanding\": false,
},
{
\"id\": \"3\",
\"isOutstanding\": false,
}
]
}
}
The below Splunk query index=myIndex "isOutstanding":true gives the count of events having "isOutstanding": true. But it doesn't consider the count of multiple occurrences in one event. How can I get the count of all the occourences in an event? TIA
Finally got the query for my requirement
index=myindex sourcetype=mysourceType
| rex max_match=0 "(?<isOutstanding>isOutstanding\\\\\":true)"
| stats count(isOutstanding) as total