https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545586#M154575 <P>Works perfectly, thanks!</P> Fri, 26 Mar 2021 12:59:59 GMT mlovasco 2021-03-26T12:59:59Z https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545511#M154530 <P>Hello - I have JSON events that have multiple items nested inside them.&nbsp; Each item has fields with the same name.&nbsp; I'm trying to report with stats and timechart on specifically "lastvalue_raw" for each "sensor" however when trying a few different things my query still chooses the first "lastvalue_raw" for any of the sensors.&nbsp; The JSON event could have any number of nested items within it depending on the type of sensor.&nbsp; Below is an example event:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "prtg-version": "21.1.65.1767", "treesize": 2, "sensor": [ { "device": "Colo Palo Alto FW1", "device_raw": "Colo Palo Alto FW1", "objid": 8219, "objid_raw": 8219, "sensor": "Comcast (1Gbit/s - Circuit ID)", "sensor_raw": "Comcast (1Gbit/s - Circuit ID)", "status": "Unusual", "status_raw": 10, "lastvalue": "37 Mbit/s", "lastvalue_raw": 4637266.8945 }, { "device": "Colo Palo Alto FW1", "device_raw": "Colo Palo Alto FW1", "objid": 33904, "objid_raw": 33904, "sensor": "Verizon Business (1Gbit/s - Circuit ID)", "sensor_raw": "Verizon Business (1Gbit/s - Circuit ID)", "status": "Up", "status_raw": 3, "lastvalue": "163 Mbit/s", "lastvalue_raw": 20343218.0333 } ] }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>And here is an example of a query I have tried to separate them:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=prtg_test sourcetype=_json | spath | rename "sensor{}.lastvalue_raw" AS lastvalue, "sensor{}.sensor" AS sensor | timechart span=1m latest(lastvalue) by sensor</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Any help is greatly appreciated!</P> Fri, 26 Mar 2021 12:59:31 GMT https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545511#M154530 mlovasco 2021-03-26T12:59:31Z https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545517#M154534 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223809">@mlovasco</a>,<BR /><BR />Fields <STRONG>lastvalue</STRONG> and <STRONG>sensor</STRONG> are multivalue fields. You need to expand them before using timechart/stats command.</P><LI-CODE lang="markup">index=prtg_test sourcetype=_json | spath | rename "sensor{}.lastvalue_raw" AS lastvalue, "sensor{}.sensor" AS sensor | eval mzip=mvzip(sensor, lastvalue, "&amp;") | mvexpand mzip | eval mzip=split(mzip, "&amp;"), sensor=mvindex(mzip, 0), lastvalue=mvindex(mzip, 1) | timechart span=1m latest(lastvalue) by sensor</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Fri, 26 Mar 2021 06:05:17 GMT https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545517#M154534 manjunathmeti 2021-03-26T06:05:17Z https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545586#M154575 <P>Works perfectly, thanks!</P> Fri, 26 Mar 2021 12:59:59 GMT https://community.splunk.com/t5/Splunk-Search/Differentiate-JSON-event-with-multiple-fields-with-the-same-name/m-p/545586#M154575 mlovasco 2021-03-26T12:59:59Z