https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673747#M230672 <P>Hello,&nbsp;</P><P><SPAN>I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.&nbsp;</SPAN></P><P><SPAN>I would like to create a line chart using&nbsp;<EM>pointlist</EM>&nbsp;values - it contains timestamp in epoch and CPU%</SPAN></P><P><SPAN>Search I tried but not working as expected to extract this data:</SPAN></P><LI-CODE lang="markup">index="splunk_test" source="test.json" | spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="madhav_dholakia_0-1704878418188.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28834i9CA51C7844841BD6/image-size/medium?v=v2&amp;px=400" role="button" title="madhav_dholakia_0-1704878418188.png" alt="madhav_dholakia_0-1704878418188.png" /></span></P><P>Please see below sample json.</P><LI-CODE lang="javascript">{"status": "ok", "res_type": "time_series", "resp_version": 1, "query": "system.cpu.idle{*}", "from_date": 1698796800000, "to_date": 1701388799000, "series": [{"unit": [{"family": "percentage", "id": 17, "name": "percent", "short_name": "%", "plural": "percent", "scale_factor": 1.0}, null], "query_index": 0, "aggr": null, "metric": "system.cpu.idle", "tag_set": [], "expression": "system.cpu.idle{*}", "scope": "*", "interval": 14400, "length": 180, "start": 1698796800000, "end": 1701388799000, "pointlist": [[1698796800000.0, 67.48220718526889], [1698811200000.0, 67.15981521730248], [1698825600000.0, 67.07217666403122], [1698840000000.0, 64.72434584884627], [1698854400000.0, 64.0411289094932], [1698868800000.0, 64.17585938553243], [1698883200000.0, 64.044969119166], [1698897600000.0, 63.448143595246194], [1698912000000.0, 63.80226399404451], [1698926400000.0, 63.93216493520908], [1698940800000.0, 63.983679174088145], [1701331200000.0, 63.3783379315815], [1701345600000.0, 63.45321248782884], [1701360000000.0, 63.452383398041064], [1701374400000.0, 63.46314971048991]], "display_name": "system.cpu.idle", "attributes": {}}], "values": [], "times": [], "message": "", "group_by": []}</LI-CODE><P>can you please help how I can achieve this?</P><P>Thank you.</P><P>Regards,</P><P>Madhav</P> Wed, 10 Jan 2024 09:23:08 GMT madhav_dholakia 2024-01-10T09:23:08Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673747#M230672 <P>Hello,&nbsp;</P><P><SPAN>I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.&nbsp;</SPAN></P><P><SPAN>I would like to create a line chart using&nbsp;<EM>pointlist</EM>&nbsp;values - it contains timestamp in epoch and CPU%</SPAN></P><P><SPAN>Search I tried but not working as expected to extract this data:</SPAN></P><LI-CODE lang="markup">index="splunk_test" source="test.json" | spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="madhav_dholakia_0-1704878418188.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28834i9CA51C7844841BD6/image-size/medium?v=v2&amp;px=400" role="button" title="madhav_dholakia_0-1704878418188.png" alt="madhav_dholakia_0-1704878418188.png" /></span></P><P>Please see below sample json.</P><LI-CODE lang="javascript">{"status": "ok", "res_type": "time_series", "resp_version": 1, "query": "system.cpu.idle{*}", "from_date": 1698796800000, "to_date": 1701388799000, "series": [{"unit": [{"family": "percentage", "id": 17, "name": "percent", "short_name": "%", "plural": "percent", "scale_factor": 1.0}, null], "query_index": 0, "aggr": null, "metric": "system.cpu.idle", "tag_set": [], "expression": "system.cpu.idle{*}", "scope": "*", "interval": 14400, "length": 180, "start": 1698796800000, "end": 1701388799000, "pointlist": [[1698796800000.0, 67.48220718526889], [1698811200000.0, 67.15981521730248], [1698825600000.0, 67.07217666403122], [1698840000000.0, 64.72434584884627], [1698854400000.0, 64.0411289094932], [1698868800000.0, 64.17585938553243], [1698883200000.0, 64.044969119166], [1698897600000.0, 63.448143595246194], [1698912000000.0, 63.80226399404451], [1698926400000.0, 63.93216493520908], [1698940800000.0, 63.983679174088145], [1701331200000.0, 63.3783379315815], [1701345600000.0, 63.45321248782884], [1701360000000.0, 63.452383398041064], [1701374400000.0, 63.46314971048991]], "display_name": "system.cpu.idle", "attributes": {}}], "values": [], "times": [], "message": "", "group_by": []}</LI-CODE><P>can you please help how I can achieve this?</P><P>Thank you.</P><P>Regards,</P><P>Madhav</P> Wed, 10 Jan 2024 09:23:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673747#M230672 madhav_dholakia 2024-01-10T09:23:08Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673757#M230677 <P>It appears that two dimensional arrays are not easily handled (unless someone else knows differently), so you could try something like this:</P><LI-CODE lang="markup">| spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist | streamstats count as row | streamstats count(eval(row % 2==1)) as row | stats list(pointlist) as pointlist by row | sort 0 row | eval pointX = mvindex(pointlist,0) | eval pointY = mvindex(pointlist,1)</LI-CODE> Wed, 10 Jan 2024 10:10:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673757#M230677 ITWhisperer 2024-01-10T10:10:22Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673768#M230679 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;- thanks a lot, this worked like a charm.</P> Wed, 10 Jan 2024 11:17:20 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-json-spath-search/m-p/673768#M230679 madhav_dholakia 2024-01-10T11:17:20Z