topic Re: Creating dashboard with 4 columns in Splunk Search

Creating dashboard with 4 columns

shenoyveer — Fri, 13 Sep 2024 04:28:47 GMT

Hi Team,

I am sending json data to Splunk server and I want to create a dashboard out of it.

My data is in the below format and I need help in creating the dashboard out of it.

example:

{"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.

my dashboard should look like,

repos	count	active	count
new-repo	2	yes	17
new-repo-2	30	no	10
new-one-3	15	yes	0
old-repo	10	yes	23
my-repo	10	no	15

I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard.

can someone help?

Thanks,

Veeresh Shenoy

Re: Creating dashboard with 4 columns

ITWhisperer — Fri, 13 Sep 2024 07:45:21 GMT

Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract the fields. Note that you can't have two columns / fields with the same name as you have shown

| spath value{} output=value | mvexpand value | rex field=value "(?<repos>[^:]+):\s*(?<count>\d+):\s*(?<active>\w+):\s*(?<othercount>\d+)" | table repos count active othercount

Re: Creating dashboard with 4 columns

shenoyveer — Fri, 13 Sep 2024 10:17:49 GMT

Thank you soo much @ITWhisperer

this worked for me 🙂

Re: Creating dashboard with 4 columns

shenoyveer — Mon, 16 Sep 2024 11:47:02 GMT

This query worked but I have found one issue that its taking duplicate values in dashboard if we run it again

is there any way that we can avoid old value if we run multiple times in lesser time?

Re: Creating dashboard with 4 columns

shenoyveer — Mon, 16 Sep 2024 11:53:01 GMT

I got the query that we need to use dedup

thanks anyway.