如何评估代表另一个字段长度的 Splunk 字段？

Question

我已将以下包含 JSON 行的示例文件加载到 Splunk 中：

{"duration":2134,"input":["foo","bar"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.14427-07:00"}
{"duration":997,"input":["baz"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.144526-07:00"}

Splunk has parsed these fields such that the input field is a list: I would like to generate a table of the length of (number of elements in) the input and the duration field. Following https://docs.splunk.com/Documentation/StreamProcessor/standard/FunctionReference/List#length.28input.29, I've tried

msg="Processed input" 
| eval N=length(input) 
| table N, duration

but this yields no values for N:

What would be the correct way to determine N?

Answer 1

使用mvcount('input{}')代替length(input)

编辑：将单引号括起来，input{}因为{,}是特殊字符。