Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Dashboarding from a JSON array.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dashboarding from a JSON array.
Below is a sample event ingested over HEC and a query. What I am interested in is creating a dashboard from miner.gpus{}. I want to dashboard miner.gpus{}.eth, miner.gpus{}.temp, and miner.gpus{}.fan. The expected miner.gpus{} count is always 8.
Is there an easy way to create a gauge for every index in the array? Or do I have to manually call out the index using mvindex?
index="rigs" rig="$miner$"
| spath output=values miner.gpus{}.eth
| eval value=mvindex(values,0)
| stats min(value) as minimum, max(value) as maximum, latest(value) as current
| table current, minimum, maximum
{
"rig": "MINER001",
"miner": {
"runningTime": "675",
"id": 0,
"DCR": {
"totalHashrate": "0",
"shares": "0",
"rejectedShares": "0",
"poolSwitches": "0",
"invalidShares": "0"
},
"version": "9.5 - ETH",
"miner": "claymore",
"pools": [
"us1.ethermine.org:14444"
],
"error": null,
"gpus": [
{
"temp": "83",
"dcr": "off",
"fan": "71",
"eth": "29890",
"index": 0
},
{
"temp": "73",
"dcr": "off",
"fan": "57",
"eth": "29934",
"index": 1
},
{
"temp": "69",
"dcr": "off",
"fan": "52",
"eth": "29940",
"index": 2
},
{
"temp": "74",
"dcr": "off",
"fan": "59",
"eth": "29816",
"index": 3
},
{
"temp": "76",
"dcr": "off",
"fan": "61",
"eth": "29813",
"index": 4
},
{
"temp": "77",
"dcr": "off",
"fan": "63",
"eth": "29895",
"index": 5
},
{
"temp": "73",
"dcr": "off",
"fan": "57",
"eth": "30204",
"index": 6
},
{
"temp": "62",
"dcr": "off",
"fan": "31",
"eth": "30103",
"index": 7
}
],
"isRunning": true,
"ETH": {
"totalHashrate": "239598",
"shares": "2383",
"rejectedShares": "0",
"poolSwitches": "0",
"invalidShares": "0"
}
},
"event_type": "heartbeat",
"uptime": 40860.5487383,
"uptimeUnits": "seconds"
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Updated] Since your miner.gpus{}.eth field always has 8 elements, I have created a loop of 8 using map command. (PS: map command will be expensive and depending on Splunk settings it might restrict number of times a subsearch may run (by default it is 10)
| makeresults
| eval counterIdx="0 1 2 3 4 5 6 7"
| makemv counterIdx
| mvexpand counterIdx
| table counterIdx
| map search="search source=\"splunk_answers_551950_json_data.json\" host=\"NiketNilay-PC\" sourcetype=\"_json\"
| rename miner.gpus{}.eth as values
| eval value=mvindex(values,$counterIdx$)
| stats min(value) as minimum, max(value) as maximum, latest(value) as current
| table current, minimum, maximum"
Please see if this works, I have tested with the data you have provided. If the query is running too slow or not returning the desired result we might have to come up with different approach.
PS: Please take out/mask actual site/port name from jSON Data.
@cmisztur, if you need only the first value you can directly traverse to the same using 0 as index.
| spath output=values miner.gpus{0}.eth
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to traverse all indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cmisztur, I have updated my answer. See if it fits your needs.
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
A Prelude to .conf25: Your Guide to Splunk University
