Getting Data In

Grouping JSON data and creating dynamic chart

MemoreX42
Explorer

Hi experts,

I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck with getting sub-elements from the JSON as lines in my chart.

Here is a sample log:

{ [-] 
    DataThroughput: { [-] 
      Updates per second:  576.0666666666667 
      Incoming Requests per second:  388.7 
      Processed Requests per second:  382.35 
   } 
    DeploymentId:  c84e3e1fe4f74408876bea1a9f6c60e1 
    LogLevel:  Info 
    LogTime:  2015-05-05T14:51:37.5168234+00:00 
}

I get one of these every minute into splunk. My ultimate goal is to have a timechart over the data throughput of my system, i.e.:

X-Axis: The time (say over the last 1h)
Y-Axis: The average throughput per second

In this example, the timechart would have three lines (one for Updates / s, one for Incoming Requests / s and one for Processed Requests / s).

Now I know how to do this for this static case, but in my real world scenario, the number of children under the node "DataThroughput" and their names is unknown and changes frequently. Is there a clever way to extract all children of the "DataThroughput" node in the JSON data and build a line in a timechart for each of them without specifying them directly?

Thanks a lot,
Christian

Tags (1)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

MemoreX42
Explorer

Thanks, this works just the way I wanted it, thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...