https://community.splunk.com/t5/Getting-Data-In/extracting-values-from-fields-in-metrics/m-p/692052#M115070 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266138">@Be_JAR</a>&nbsp; In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided:</P><LI-CODE lang="markup">| makeresults | eval _raw="{ \"deployment.environment\":\"entorno-pruebas\", \"k8s.cluster.name\":\"splunk-otel\", \"k8s.namespace.name\":\"default\", \"k8s.node.name\":\"minikube\", \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\", \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\", \"metric_type\":\"Gauge\", \"os.type\":\"linux\", \"metric_name:k8s.pod.filesystem.usage\":491520 }" | spath | stats values(k8s.pod.name) as k8s.pod.name</LI-CODE><P>&nbsp;</P> Mon, 01 Jul 2024 04:51:35 GMT KendallW 2024-07-01T04:51:35Z https://community.splunk.com/t5/Getting-Data-In/extracting-values-from-fields-in-metrics/m-p/691669#M115028 <P>Hello.</P><P>I am working with opentelemetry metrics. I have a metric type index, and the format of the payload I receive is like this:<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Be_JAR_0-1719410145708.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31468i4047C49F479F9483/image-size/medium?v=v2&amp;px=400" role="button" title="Be_JAR_0-1719410145708.png" alt="Be_JAR_0-1719410145708.png" /></span></P><P>example payload :</P><LI-CODE lang="markup">{"deployment.environment":"entorno-pruebas","k8s.cluster.name":"splunk-otel","k8s.namespace.name":"default","k8s.node.name":"minikube","k8s.pod.name":"my-otel-demo-emailservice-fc5bc4c5f-jxzqz","k8s.pod.uid":"5fe1ada8-8baa-4960-b873-381b475b2b26","metric_type":"Gauge","os.type":"linux","metric_name:k8s.pod.filesystem.usage":491520}</LI-CODE><P>&nbsp;</P><P><SPAN>I need a search that retrieves the various values ​​of the k8s.pod.name field. I'm trying different variations of the search, but I can't get it:<BR /><BR /></SPAN></P><LI-CODE lang="python">|mstats avg(_value) as VAL WHERE index=otel_k8s_metrics metric_name="metric_name:k8s.pod.filesystem.usage*" |spath input=_raw path=k8s.pod.name output=k8s.pod.name |stats values(k8s.pod.name) as k8s.pod.name |table k8s.pod.name</LI-CODE><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Does anyone have any idea why it doesn't work. Metrics type indexes support spath</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>I appreciate any ideas</SPAN></P><P><SPAN>BR&nbsp;</SPAN></P><P><SPAN>JAR</SPAN></P><P>&nbsp;</P> Wed, 26 Jun 2024 13:57:56 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-values-from-fields-in-metrics/m-p/691669#M115028 Be_JAR 2024-06-26T13:57:56Z https://community.splunk.com/t5/Getting-Data-In/extracting-values-from-fields-in-metrics/m-p/692052#M115070 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266138">@Be_JAR</a>&nbsp; In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided:</P><LI-CODE lang="markup">| makeresults | eval _raw="{ \"deployment.environment\":\"entorno-pruebas\", \"k8s.cluster.name\":\"splunk-otel\", \"k8s.namespace.name\":\"default\", \"k8s.node.name\":\"minikube\", \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\", \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\", \"metric_type\":\"Gauge\", \"os.type\":\"linux\", \"metric_name:k8s.pod.filesystem.usage\":491520 }" | spath | stats values(k8s.pod.name) as k8s.pod.name</LI-CODE><P>&nbsp;</P> Mon, 01 Jul 2024 04:51:35 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-values-from-fields-in-metrics/m-p/692052#M115070 KendallW 2024-07-01T04:51:35Z