topic Re: Splunk 6.3 - Correlate data from multidimensional JSON-encoded events in Splunk Dev

Splunk 6.3 - Correlate data from multidimensional JSON-encoded events

edgenuity — Fri, 09 Oct 2015 18:37:46 GMT

Hi,

We have an index populated with MTR (mytraceroute) data from remote hosts. We are looking for a way to parse this information and present a visualization (or at least a table) showing network hops, the number of times they show up in the data, and the average packet loss for each hop.

{
    "status": "success",
    "hops": [
        {
            "host": "192.168.1.1",
            "loss": "0.0%",
            "avg": "0.3"
        },
        {
            "host": "network-hop-1",
            "loss": "0.0%",
            "avg": "33.2"
        },
        {
            "host": "network-hop-2",
            "loss": "0.0%",
            "avg": "23.2"
        },
        {
            "host": "network-hop-3",
            "loss": "0.0%",
            "avg": "23.6"
        },
        {
            "host": "network-hop-4",
            "loss": "40.0%",
            "avg": "25.3"
        },
        {
            "host": "network-hop-5",
            "loss": "0.0%",
            "avg": "25.2"
        },
        {
            "host": "network-hop-6",
            "loss": "0.0%",
            "avg": "25.5"
        }
    ],
    "totalhops": "7",
    "appliance": "HOSTNAME"
}

We need a table that shows --

hop, [number of events containing this hop], [average loss % to this hop across all events containing it], [average time (avg) to this hop]

Any idea how to do this?

Re: Splunk 6.3 - Correlate data from multidimensional JSON-encoded events

somesoni2 — Fri, 09 Oct 2015 19:46:11 GMT

Assuming this json format data is properly parsed by Splunk (props.conf is setup correctly to extract fields), then try something like this

your base search | table host{}* | rename host{}.* as * | eval temp=mvzip(host,mvzip(loss,avg,"#"),"#") | table temp | mvexpand temp | rex field=temp "(?<hop>.*)#(?<loss>.*)%#(?<time>.*)" | stats count, avg(loss) as Avg_Loss_% avg(time) as Avg_Time by hop

Re: Splunk 6.3 - Correlate data from multidimensional JSON-encoded events

edgenuity — Mon, 12 Oct 2015 20:49:48 GMT

That gives no statistics results at all. Sorry to be so unhelpful with my reply but I'm not understanding how the search string is intended to work.

Re: Splunk 6.3 - Correlate data from multidimensional JSON-encoded events

edgenuity — Mon, 12 Oct 2015 20:54:07 GMT

Thank you, there was one minor mistake (should be ' table hops{}* | rename hops{}.* as * ' ... but otherwise this is perfect. Thank you!