https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513958#M87129 <P>I have a service that is dropping a json object every 5 minutes. These objects contain multiple KeyValuePair Categories with multiple KVP Properies within them. If I use the following query:<BR /><BR />index= ****Query ****<BR />| spath input=Properties.Data path=Items{} output=Items<BR />| stats count by Items<BR />| spath input=Items path=Props{} output=Props<BR />| mvexpand Props<BR />| spath input=Props<BR />| spath input=Items<BR />| fields - Items count Props*<BR />| where CN="ClientId" AND PN="Client_authentication_success"<BR /><BR />Which generates a table:<BR />CN | CV | PN | PV<BR />(CategoryName | CategoryValue | PropertyName | PropertyValue)<BR /><BR />The problem is that I cannot seem to generate a timeline from that data. I think this is because its pulling ALL the data from the entire duration and none of it contains any time information for each individual log they belong to. So I may need to inject the time information early on before it aggregates all the data into one report.&nbsp;<BR /><BR />I'm Assuming the table would need to look more like:<BR />_time | CN | CV | PN | PV<BR /><BR />From there I'm assuming it would be something like:<BR />| timechart span=5m sum(PV) by CV where sum in top10<BR />To get a timeline going.<BR /><BR />Here is an example of one record:<BR />{"Items":[{"CN":"ClientId","CV":"ABC0001","Props":[{"PN":"Client_authentication_success","PV":10}]},{"CN":"ClientId","CV":"CDE0001","Props":[{"PN":"Client_authentication_success","PV":754}]},{"CN":"ClientId","CV":"ABC0002","Props":[{"PN":"Client_authentication_success","PV":33}]}]}</P> Thu, 13 Aug 2020 19:16:38 GMT topherbirth 2020-08-13T19:16:38Z https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513958#M87129 <P>I have a service that is dropping a json object every 5 minutes. These objects contain multiple KeyValuePair Categories with multiple KVP Properies within them. If I use the following query:<BR /><BR />index= ****Query ****<BR />| spath input=Properties.Data path=Items{} output=Items<BR />| stats count by Items<BR />| spath input=Items path=Props{} output=Props<BR />| mvexpand Props<BR />| spath input=Props<BR />| spath input=Items<BR />| fields - Items count Props*<BR />| where CN="ClientId" AND PN="Client_authentication_success"<BR /><BR />Which generates a table:<BR />CN | CV | PN | PV<BR />(CategoryName | CategoryValue | PropertyName | PropertyValue)<BR /><BR />The problem is that I cannot seem to generate a timeline from that data. I think this is because its pulling ALL the data from the entire duration and none of it contains any time information for each individual log they belong to. So I may need to inject the time information early on before it aggregates all the data into one report.&nbsp;<BR /><BR />I'm Assuming the table would need to look more like:<BR />_time | CN | CV | PN | PV<BR /><BR />From there I'm assuming it would be something like:<BR />| timechart span=5m sum(PV) by CV where sum in top10<BR />To get a timeline going.<BR /><BR />Here is an example of one record:<BR />{"Items":[{"CN":"ClientId","CV":"ABC0001","Props":[{"PN":"Client_authentication_success","PV":10}]},{"CN":"ClientId","CV":"CDE0001","Props":[{"PN":"Client_authentication_success","PV":754}]},{"CN":"ClientId","CV":"ABC0002","Props":[{"PN":"Client_authentication_success","PV":33}]}]}</P> Thu, 13 Aug 2020 19:16:38 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513958#M87129 topherbirth 2020-08-13T19:16:38Z https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513976#M87131 <P>Hi</P><P>can you try if you adding replace your stats with</P><LI-CODE lang="java">| stats values(_time) as _time count by Items</LI-CODE><P>on your query?</P><P>r. Ismo&nbsp;</P> Thu, 13 Aug 2020 20:11:51 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513976#M87131 isoutamo 2020-08-13T20:11:51Z https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513997#M87132 <P>I managed to get a working query:<BR /><BR />| spath input=Properties.Data path=Items{} output=Items<BR />| mvexpand Items<BR />| rename Items as _raw<BR />| spath path=Props{} output=ThePs<BR />| mvexpand ThePs<BR />| kv<BR />| spath input=ThePs path=PN output=PN<BR />| spath input=ThePs path=PV output=PV<BR />| table _time, CN, CV, PN, PV<BR />| timechart span=5m sum(PV) by CV where sum in top10</P> Thu, 13 Aug 2020 22:07:21 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-table-generated-by-JSON-into-a-timeline/m-p/513997#M87132 topherbirth 2020-08-13T22:07:21Z