Solved: Time chart on object property

larryluckland · ‎09-30-2021

I'm new to Splunk and I'm trying to do something that is probably basic but I haven't been able to figure out how to do it.

I have a log in Splunk which contains an http_query along the lines of:

```

my_object[prop1]=someVal&my_object[prop2]=someOtherVal

```

I'm trying to use a timechart to inspect these values. I've tried:
`timechart count by my_object[prop1]` which tells me prop1 is undefined.

Then also tried

`timechart count by my_object.prop1` which gives me a time series with NULL everywhere.

How can I do this?

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

View solution in original post

somesoni2 · ‎09-30-2021

Run a basic search (without timechart) in "Smart Mode" and see what fields are being extracted by Splunk (field sidebar appears on left on "Events" tab). If your http_query fields are extracted, then use the exact name in timechart as they appear in field sidebar.

Time chart on object property

panel

timechart

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation