https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180830#M36265 <P>Hi experts,</P> <P>I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck with getting sub-elements from the JSON as lines in my chart.</P> <P>Here is a sample log:</P> <PRE><CODE>{ [-] DataThroughput: { [-] Updates per second: 576.0666666666667 Incoming Requests per second: 388.7 Processed Requests per second: 382.35 } DeploymentId: c84e3e1fe4f74408876bea1a9f6c60e1 LogLevel: Info LogTime: 2015-05-05T14:51:37.5168234+00:00 } </CODE></PRE> <P>I get one of these every minute into splunk. My ultimate goal is to have a timechart over the data throughput of my system, i.e.:</P> <P>X-Axis: The time (say over the last 1h)<BR /> Y-Axis: The average throughput per second</P> <P>In this example, the timechart would have three lines (one for Updates / s, one for Incoming Requests / s and one for Processed Requests / s).</P> <P>Now I know how to do this for this static case, but in my real world scenario, the number of children under the node "DataThroughput" and their names is unknown and changes frequently. Is there a clever way to extract all children of the "DataThroughput" node in the JSON data and build a line in a timechart for each of them without specifying them directly?</P> <P>Thanks a lot,<BR /> Christian</P> Tue, 05 May 2015 15:00:39 GMT MemoreX42 2015-05-05T15:00:39Z https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180830#M36265 <P>Hi experts,</P> <P>I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck with getting sub-elements from the JSON as lines in my chart.</P> <P>Here is a sample log:</P> <PRE><CODE>{ [-] DataThroughput: { [-] Updates per second: 576.0666666666667 Incoming Requests per second: 388.7 Processed Requests per second: 382.35 } DeploymentId: c84e3e1fe4f74408876bea1a9f6c60e1 LogLevel: Info LogTime: 2015-05-05T14:51:37.5168234+00:00 } </CODE></PRE> <P>I get one of these every minute into splunk. My ultimate goal is to have a timechart over the data throughput of my system, i.e.:</P> <P>X-Axis: The time (say over the last 1h)<BR /> Y-Axis: The average throughput per second</P> <P>In this example, the timechart would have three lines (one for Updates / s, one for Incoming Requests / s and one for Processed Requests / s).</P> <P>Now I know how to do this for this static case, but in my real world scenario, the number of children under the node "DataThroughput" and their names is unknown and changes frequently. Is there a clever way to extract all children of the "DataThroughput" node in the JSON data and build a line in a timechart for each of them without specifying them directly?</P> <P>Thanks a lot,<BR /> Christian</P> Tue, 05 May 2015 15:00:39 GMT https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180830#M36265 MemoreX42 2015-05-05T15:00:39Z https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180831#M36266 <P>So first, you want to extract all the data in the specific node - one way of doing that is by using two <CODE>spath</CODE> commands. You'll need to use the <CODE>fields</CODE> command too, in order to make sure those are the only fields that we dealing with.</P> <PRE><CODE>| spath DataThroughput | fields DataThroughput | spath input=DataThroughput | timechart avg(*) as * </CODE></PRE> <P>Now you can add span to timechart to adjust the sampling interval (e.g. <CODE>timechart span=15m avg(*) as *</CODE> and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically. </P> Tue, 05 May 2015 17:51:19 GMT https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180831#M36266 aljohnson_splun 2015-05-05T17:51:19Z https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180832#M36267 <P>Thanks, this works just the way I wanted it, thanks a lot!</P> Wed, 06 May 2015 07:49:14 GMT https://community.splunk.com/t5/Getting-Data-In/Grouping-JSON-data-and-creating-dynamic-chart/m-p/180832#M36267 MemoreX42 2015-05-06T07:49:14Z