从Splunk日志

Question

我是Splunk的新手。我想基于日志中的JSON字符串创建一个仪表板。我附上了搜索结果：

2017 - 10 - 06 T05: 33: 46.910365 + 00: 00 loggregator xxxx[[APP / PROC / WEB / 0]]: cf_foundation = px - xxx cf_app_name = xxxx cf_app_id = xxxx cf_org_name = xxx cf_org_id = xxxxx cf_space_name = development cf_space_id = xxxx.source.s_cf_apps at[Source: {
      "accounts": [{
        "isPuertoRicoIndicator": false,
        "accountNumber": "xxx34",
        "status": "Active",
        "contactFamilyName": "xxx",
        "contactFirstName": "XXX",
        "tenure": "61",
        "accountType": "INDIVIDUAL",
        "billingAddress": {
          "addressId": "2"
        },
        "accountSubType": "INDIVIDUAL_REGULAR",
        "marketCode": "DAT"
      }],
      "totalDiscount": 0,
      "totalShippingAmount": 6.99,
      "status": "Completed",
      "totalDue": 695.98,
      "orderLineCollection": {
        "orderLines": [{
          "inventoryStatus": "true",
          "fulfillmentType": "DGDFGDFG",
          "dueTodayAmount": 45.5,
          "imei": "232323",
          "serialNumber": "2232323",
          "orderLineId": "1",
          "offer": {
            "offerDescription": "232323",
            "unitPrice": 649.99,
            "productType": "Device"
          },
          "transactionType": "CHANGEDEVICE",
          "isPreOrdered": false,
          "taxCollection": {
            "totalTax": 45.5,
            "taxes": [{
              "amount": 45.5,
              "typeCode": "SALES"
            }]
          },
          "quantity": 1,
          "lineId": "1",
          "deviceId": "12345",
          "loanId": "2323232"
        }]
      },
      "childOrders": [{
        "orderType": "2344.q",
        "orderId": "ASFDGDFGDD"
      }, {
        "orderType": "223423432.WE",
        "orderId": "ESiDFGDFGgn"
      }],
      "totalAmount": 649.99,
      "taxCollection": {
        "totalTax": 45.5,
        "taxes": [{
          "amount": 45.5,
          "typeCode": "SFDGALES"
        }]
      },
      "creationTime": "2017-09-21T17:15:00",
      "addresses": [{
        "zip": "98099921",
        "cityName": "FGFGFGFGF",
        "countryCode": "UGFGS",
        "purposes": ["Shipping"],
        "stateCode": "WA",
        "addressLine3": "DFGFG4",
        "addressLine2": "FGFDG #2",
        "addressId": "1",
        "zipExt": "4343434901",
        "addressLine1": "22DGDF213 30FGFGTHDR SE"
      }, {
        "zip": "3430346",
        "cityName": "FFGFG",
        "countryCode": "UFDGDFGS",
        "purposes": ["Billing"],
        "stateCode": "GDFGF",
        "addressLine3": "DSGDFG",
        "addressLine2": "FSGFG",
        "addressId": "1",
        "zipExt": "23232323",
        "addressLine1": "One Ravinia drive"
      }],
      "salesInfo": {
        "applicationId": "ESERFSDFSFVICE",
        "senderSystemId": "MYTSDFDSMO",
        "esignatureCaptureMode": "OFFLINE",
        "salesChannel": "WEB"
      },
      "orderId": "xxxx",
      "metadata": {
        "lastModified": "2017-09-21T17:29:03.761-07:00"
      }
    }

我希望使用Splunk查询获取orderLineCollection.orderLines{}.serialNumber的统计信息。我已经尝试了以下查询来获取统计数据：

 | stats values(orderLineCollection.orderLines{}.serialNumber) as serialNumber| stats count by serialNumber

但它不起作用;它没有返回任何值：

  

未找到结果

有人可以帮助我吗？