Getting Data In

How do i convert a Json Multi key value pair to multi line chart

robertlynch2020
Motivator

Hi

I have X number of "totalHitCount" in a JSON file (mtr.gauges.caching_metrics.nodes{}.totalHitCount). Within multiple node{} and i am looking to graphs each node{}totalHitCount with time on Y and nodes{}.totalHitCount values - multiple series on the Y axis.

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB | spath "mtr.gauges.caching_metrics.nodes{}.totalHitCount" | sort _time| table mtr.gauges.caching_metrics.nodes{}.totalHitCount _time

{ [-]
   h: mx12405vm
   mtr: { [-]
     counters: { [+]
     }
     gauges: { [-]
       caching_metrics: { [-]
         clientCount: 5
         locatorCount: 1
         maxMemoryMB: 10240
         memberCount: 4
         nodes: [ [-]
           { [-]
             bytesReceivedPerSecond: 0
             bytesSentPerSecond: 0
             cpuUsage: 0.21666667
             gcCount: 96
             gcTimeMilliseconds: 884
             getsPerSecond: 0
             locator: true
             lruEvictionsPerSecond: 0
             maxMemoryMB: 2048
             nodeName: positions-gf-locator-v1-1
             putsPerSecond: 0
             readsPerSecond: 0
             server: false
             totalHitCount: 0
             totalMissCount: 0
             totalRegionCount: 0
             totalRegionEntryCount: 0
             usedMemoryMB: 205
             writesPerSecond: 0
           }
           { [-]
             bytesReceivedPerSecond: 0
             bytesSentPerSecond: 0
             cpuUsage: 0.81666666
             gcCount: 196
             gcTimeMilliseconds: 1337
             getsPerSecond: 0
             locator: false
             lruEvictionsPerSecond: 0
             maxMemoryMB: 2048
             nodeName: positions-gf-cacheserver-v1-1
             putsPerSecond: 0
             readsPerSecond: 0
             server: true
             totalHitCount: 1751992
             totalMissCount: 114
             totalRegionCount: 17
             totalRegionEntryCount: 120
             usedMemoryMB: 254
             writesPerSecond: 0
           }

etc...

alt text

Any help would be super thanks.
I did look at this
https://answers.splunk.com/answers/302236/how-to-take-multiple-key-value-pairs-and-draw-a-li.html

But the number of nodes could be dynamic, so not sure what to do.

Rob

0 Karma
1 Solution

robertlynch2020
Motivator

hi

i got it

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB
| spath "mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount"
| rename mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount AS totalRegionEntryCount
| rename mtr.gauges.caching_metrics.nodes{}.nodeName AS nodeName
| eval x=mvzip(nodeName,totalRegionEntryCount)
| mvexpand x
| eval x = split(x,",")
| eval totalRegionEntryCount=mvindex(x,0)
| eval nodeName=mvindex(x,1) | table _time totalRegionEntryCount nodeName | timechart bins=1000 max(nodeName) by totalRegionEntryCount

View solution in original post

0 Karma

robertlynch2020
Motivator

hi

i got it

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB
| spath "mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount"
| rename mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount AS totalRegionEntryCount
| rename mtr.gauges.caching_metrics.nodes{}.nodeName AS nodeName
| eval x=mvzip(nodeName,totalRegionEntryCount)
| mvexpand x
| eval x = split(x,",")
| eval totalRegionEntryCount=mvindex(x,0)
| eval nodeName=mvindex(x,1) | table _time totalRegionEntryCount nodeName | timechart bins=1000 max(nodeName) by totalRegionEntryCount

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...