All Apps and Add-ons

How to create 12- month trend line from data getting from a JSON endpoint?

chiraggl
Engager

Have to create 12- month trend line and data I am getting it in JSON. Please check the enclosed screenshot, I could able to create the alt texttable.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2
| eval time=split("2018-12-02#2019-03-24","#")
| mvexpand time
| eval _time=strptime(time,"%F")
| makecontinuous span=7d _time
| eval temp="480.0,480.0,480.0,470.0,470.0,470.0,460.0,460.0,460.0,460.0,470.0,510.0,510.0,510.0,520.0,530.0,530.0"
| streamstats current=f count 
| eval y=mvindex(split(temp,","),count)
| eval x=strftime(_time,"%F")
| table y x 
| eval count = 1
| stats list(*) as * by count
| rename x as "graph_data.ratings{}.x" 
| rename y as "graph_data.ratings{}.y"
| fields - count
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "from here, the logic"
| eval _time=strptime('graph_data.ratings{}.x',"%F")
| stats list(*) as * by _time
| streamstats current=f count
| eval rating=mvindex('graph_data.ratings{}.y',count)
| table _time rating
| rename COMMENT as "viz > Line Chart"

Hi, @chiraggl
I chose not to use mvexpand.

0 Karma

aberkow
Builder

Something like this should work for you, but you might need to play around with it a little to get the exact form you want (I didn't know if you had an _time field from these logs and if it correlated with the date stamp you had).

| baseSearch
| eval zip=mvzip('graph_data.ratings{}.y', 'graph_data.ratings{}x')
| mvexpand zip
| eval zip=split(zip, ",")
| eval ratings=mvindex(zip,0)
| eval time=mvindex(zip,1)
| eval _time=strptime(time, "%Y-%m-%d")
| timechart values(ratings) span=w

Essentially, zip each value pair together, expand them into their own rows, index out the values, create a _time field if it doesn't exist, then plug that into a timechart command. Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...