Getting Data In

How to process json array data inside an event

anthonysomerset
Path Finder

I have the following json array within an event:

    backupUsage: [ [-] 
     { [-] 
        archiveBytes:  8133276881087 
        archiveBytesDeltaMonth:  1129290219619 
        backupSessionCount:  59 
        billableBytes:  8133276881087 
        selectedBytes:  8030442921416 
        selectedFiles:  16962183 
        targetComputerGuid:  689167150325170177 
        todoFiles:  461179 
     } 
     { [-] 
        archiveBytes:  10689981975246 
        archiveBytesDeltaMonth:  1231733678853 
        backupSessionCount:  99 
        billableBytes:  10689981975246 
        selectedBytes:  7790221958196 
        selectedFiles:  5564624 
        targetComputerGuid:  689167158629892097 
        todoFiles:  167538 
     } 
     { [-] 
        archiveBytes:  826807333824 
        archiveBytesDeltaMonth:  46122210209 
        backupSessionCount:  6 
        billableBytes:  826807333824 
        selectedBytes:  820198793090 
        selectedFiles:  1285100 
        targetComputerGuid:  689134916159406081 
        todoFiles:  221 
     } 
   ] 

an event may have 1 or more array objects inside the backupUsage array

if i sum the fields within a single event i can get the correct data e.g:

stats sum(backupUsage{}.billableBytes) as billableBytes by orgName

however the moment i have more than 1 event (with the same orgName) within the search window - the numbers are wrong because its summing from all the events rather than a single event, if i do a timechart then my data is "wrong"

i could set my timechart span to equal the polling time of the data to get only 1 event in each bucket but that seems hacky at best and probably won't scale to long time ranges?

I'm guessing i need to process the arrays into a single set of values per event, ideally at search time and failing that at input processing time (within the input script sending the data in) but not sure where to start

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName

For timechart

your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName

View solution in original post

somesoni2
Revered Legend

Try something like this

your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName

For timechart

your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName

anthonysomerset
Path Finder

This worked - Kind of 🙂

i had to add | fields -sno to either search and also make sure my base search only returned one orgName value in all the events for it to graph "right" i'm sure with additional processing i can correctly split the series for the case of multiple orgNames

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...