Solved: Time chart on object property

larryluckland · ‎09-30-2021

I'm new to Splunk and I'm trying to do something that is probably basic but I haven't been able to figure out how to do it.

I have a log in Splunk which contains an http_query along the lines of:

```

my_object[prop1]=someVal&my_object[prop2]=someOtherVal

```

I'm trying to use a timechart to inspect these values. I've tried:
`timechart count by my_object[prop1]` which tells me prop1 is undefined.

Then also tried

`timechart count by my_object.prop1` which gives me a time series with NULL everywhere.

How can I do this?

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

View solution in original post

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

Time chart on object property

panel

timechart

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...