Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Grouping JSON data and creating dynamic chart

MemoreX42
Explorer
‎05-05-2015 08:00 AM

Hi experts,

I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck with getting sub-elements from the JSON as lines in my chart.

Here is a sample log:

{ [-] 
    DataThroughput: { [-] 
      Updates per second:  576.0666666666667 
      Incoming Requests per second:  388.7 
      Processed Requests per second:  382.35 
   } 
    DeploymentId:  c84e3e1fe4f74408876bea1a9f6c60e1 
    LogLevel:  Info 
    LogTime:  2015-05-05T14:51:37.5168234+00:00 
}

I get one of these every minute into splunk. My ultimate goal is to have a timechart over the data throughput of my system, i.e.:

X-Axis: The time (say over the last 1h)
Y-Axis: The average throughput per second

In this example, the timechart would have three lines (one for Updates / s, one for Incoming Requests / s and one for Processed Requests / s).

Now I know how to do this for this static case, but in my real world scenario, the number of children under the node "DataThroughput" and their names is unknown and changes frequently. Is there a clever way to extract all children of the "DataThroughput" node in the JSON data and build a line in a timechart for each of them without specifying them directly?

Thanks a lot,
Christian

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎05-05-2015 10:51 AM

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎05-05-2015 10:51 AM

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

Reply
Solved! Jump to solution

MemoreX42
Explorer
‎05-06-2015 12:49 AM

Thanks, this works just the way I wanted it, thanks a lot!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...