<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic JSON element names contains dynamic part - how to create table in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/JSON-element-names-contains-dynamic-part-how-to-create-table/m-p/331528#M61413</link>
    <description>&lt;P&gt;My JSON log file contains metrics - below message example. Json elements name and number are not fixed. As you can see element meters.bytesInPerSec.APPLICATION_NAME can be repeated for all applications dynamically.&lt;/P&gt;

&lt;P&gt;How should I configure props.conf and how should I write query to get following table:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;application, m5_rate&lt;/STRONG&gt;&lt;BR /&gt;
my-application-name-a, 0&lt;BR /&gt;
my-application-name-b, 0&lt;BR /&gt;
my-application-name-c, 18.081537604791322&lt;BR /&gt;
my-application-name-d, 0&lt;/P&gt;

&lt;P&gt;If such question was already answered please point me to proper doc/answer.&lt;/P&gt;

&lt;P&gt;Eg message:&lt;BR /&gt;
&lt;CODE&gt;{&lt;BR /&gt;
  "time": 1512637302765,  &lt;BR /&gt;
    "meters": {&lt;BR /&gt;
      "bytesInPerSec.my-application-name-a": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-b": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-c": {&lt;BR /&gt;
        "count": 152503217,&lt;BR /&gt;
        "m1_rate": 16.733471413145928,&lt;BR /&gt;
        "m5_rate": 17.948078497437745,&lt;BR /&gt;
        "m15_rate": 18.081537604791322,&lt;BR /&gt;
        "mean_rate": 39.63002548338987,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-d": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      }&lt;BR /&gt;
    }&lt;BR /&gt;
  }&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;</description>
    <pubDate>Fri, 08 Dec 2017 07:40:24 GMT</pubDate>
    <dc:creator>pszpor</dc:creator>
    <dc:date>2017-12-08T07:40:24Z</dc:date>
    <item>
      <title>JSON element names contains dynamic part - how to create table</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/JSON-element-names-contains-dynamic-part-how-to-create-table/m-p/331528#M61413</link>
      <description>&lt;P&gt;My JSON log file contains metrics - below message example. Json elements name and number are not fixed. As you can see element meters.bytesInPerSec.APPLICATION_NAME can be repeated for all applications dynamically.&lt;/P&gt;

&lt;P&gt;How should I configure props.conf and how should I write query to get following table:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;application, m5_rate&lt;/STRONG&gt;&lt;BR /&gt;
my-application-name-a, 0&lt;BR /&gt;
my-application-name-b, 0&lt;BR /&gt;
my-application-name-c, 18.081537604791322&lt;BR /&gt;
my-application-name-d, 0&lt;/P&gt;

&lt;P&gt;If such question was already answered please point me to proper doc/answer.&lt;/P&gt;

&lt;P&gt;Eg message:&lt;BR /&gt;
&lt;CODE&gt;{&lt;BR /&gt;
  "time": 1512637302765,  &lt;BR /&gt;
    "meters": {&lt;BR /&gt;
      "bytesInPerSec.my-application-name-a": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-b": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-c": {&lt;BR /&gt;
        "count": 152503217,&lt;BR /&gt;
        "m1_rate": 16.733471413145928,&lt;BR /&gt;
        "m5_rate": 17.948078497437745,&lt;BR /&gt;
        "m15_rate": 18.081537604791322,&lt;BR /&gt;
        "mean_rate": 39.63002548338987,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      },&lt;BR /&gt;
      "bytesInPerSec.my-application-name-d": {&lt;BR /&gt;
        "count": 0,&lt;BR /&gt;
        "m1_rate": 0,&lt;BR /&gt;
        "m5_rate": 0,&lt;BR /&gt;
        "m15_rate": 0,&lt;BR /&gt;
        "mean_rate": 0,&lt;BR /&gt;
        "units": "bytes/SECONDS"&lt;BR /&gt;
      }&lt;BR /&gt;
    }&lt;BR /&gt;
  }&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 08 Dec 2017 07:40:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/JSON-element-names-contains-dynamic-part-how-to-create-table/m-p/331528#M61413</guid>
      <dc:creator>pszpor</dc:creator>
      <dc:date>2017-12-08T07:40:24Z</dc:date>
    </item>
    <item>
      <title>Re: JSON element names contains dynamic part - how to create table</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/JSON-element-names-contains-dynamic-part-how-to-create-table/m-p/331529#M61414</link>
      <description>&lt;P&gt;Hi @pszpor,&lt;/P&gt;

&lt;P&gt;You can achieve this via search query based on sample data you have provided please try below query (First 2 lines are used to generate dummay data)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults
| eval _raw="{ \"time\": 1512637302765, \"meters\": { \"bytesInPerSec.my-application-name-a\": { \"count\": 0, \"m1_rate\": 0, \"m5_rate\": 0, \"m15_rate\": 0, \"mean_rate\": 0, \"units\": \"bytes/SECONDS\" }, \"bytesInPerSec.my-application-name-b\": { \"count\": 0, \"m1_rate\": 0, \"m5_rate\": 0, \"m15_rate\": 0, \"mean_rate\": 0, \"units\": \"bytes/SECONDS\" }, \"bytesInPerSec.my-application-name-c\": { \"count\": 152503217, \"m1_rate\": 16.733471413145928, \"m5_rate\": 17.948078497437745, \"m15_rate\": 18.081537604791322, \"mean_rate\": 39.63002548338987, \"units\": \"bytes/SECONDS\" }, \"bytesInPerSec.my-application-name-d\": { \"count\": 0, \"m1_rate\": 0, \"m5_rate\": 0, \"m15_rate\": 0, \"mean_rate\": 0, \"units\": \"bytes/SECONDS\" } } }"
| spath
| rename meters.bytesInPerSec.my-application-name-*.m15_rate AS my-application-name-*
| table my-application-name*
| transpose column_name=application
| rename "row 1" AS m15_rate
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I hope this helps.&lt;/P&gt;

&lt;P&gt;Thanks,&lt;BR /&gt;
Harshil&lt;/P&gt;</description>
      <pubDate>Fri, 08 Dec 2017 13:43:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/JSON-element-names-contains-dynamic-part-how-to-create-table/m-p/331529#M61414</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2017-12-08T13:43:20Z</dc:date>
    </item>
  </channel>
</rss>

