Solved: Time chart on object property

larryluckland · ‎09-30-2021

I'm new to Splunk and I'm trying to do something that is probably basic but I haven't been able to figure out how to do it.

I have a log in Splunk which contains an http_query along the lines of:

```

my_object[prop1]=someVal&my_object[prop2]=someOtherVal

```

I'm trying to use a timechart to inspect these values. I've tried:
`timechart count by my_object[prop1]` which tells me prop1 is undefined.

Then also tried

`timechart count by my_object.prop1` which gives me a time series with NULL everywhere.

How can I do this?

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

View solution in original post

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

Time chart on object property

panel

timechart

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?