- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to process json array data inside an event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following json array within an event:
backupUsage: [ [-]
{ [-]
archiveBytes: 8133276881087
archiveBytesDeltaMonth: 1129290219619
backupSessionCount: 59
billableBytes: 8133276881087
selectedBytes: 8030442921416
selectedFiles: 16962183
targetComputerGuid: 689167150325170177
todoFiles: 461179
}
{ [-]
archiveBytes: 10689981975246
archiveBytesDeltaMonth: 1231733678853
backupSessionCount: 99
billableBytes: 10689981975246
selectedBytes: 7790221958196
selectedFiles: 5564624
targetComputerGuid: 689167158629892097
todoFiles: 167538
}
{ [-]
archiveBytes: 826807333824
archiveBytesDeltaMonth: 46122210209
backupSessionCount: 6
billableBytes: 826807333824
selectedBytes: 820198793090
selectedFiles: 1285100
targetComputerGuid: 689134916159406081
todoFiles: 221
}
]
an event may have 1 or more array objects inside the backupUsage array
if i sum the fields within a single event i can get the correct data e.g:
stats sum(backupUsage{}.billableBytes) as billableBytes by orgName
however the moment i have more than 1 event (with the same orgName) within the search window - the numbers are wrong because its summing from all the events rather than a single event, if i do a timechart then my data is "wrong"
i could set my timechart span to equal the polling time of the data to get only 1 event in each bucket but that seems hacky at best and probably won't scale to long time ranges?
I'm guessing i need to process the arrays into a single set of values per event, ideally at search time and failing that at input processing time (within the input script sending the data in) but not sure where to start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName
For timechart
your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName
For timechart
your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked - Kind of 🙂
i had to add | fields -sno to either search and also make sure my base search only returned one orgName value in all the events for it to graph "right" i'm sure with additional processing i can correctly split the series for the case of multiple orgNames
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
