Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to process json array data inside an event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following json array within an event:
backupUsage: [ [-]
{ [-]
archiveBytes: 8133276881087
archiveBytesDeltaMonth: 1129290219619
backupSessionCount: 59
billableBytes: 8133276881087
selectedBytes: 8030442921416
selectedFiles: 16962183
targetComputerGuid: 689167150325170177
todoFiles: 461179
}
{ [-]
archiveBytes: 10689981975246
archiveBytesDeltaMonth: 1231733678853
backupSessionCount: 99
billableBytes: 10689981975246
selectedBytes: 7790221958196
selectedFiles: 5564624
targetComputerGuid: 689167158629892097
todoFiles: 167538
}
{ [-]
archiveBytes: 826807333824
archiveBytesDeltaMonth: 46122210209
backupSessionCount: 6
billableBytes: 826807333824
selectedBytes: 820198793090
selectedFiles: 1285100
targetComputerGuid: 689134916159406081
todoFiles: 221
}
]
an event may have 1 or more array objects inside the backupUsage array
if i sum the fields within a single event i can get the correct data e.g:
stats sum(backupUsage{}.billableBytes) as billableBytes by orgName
however the moment i have more than 1 event (with the same orgName) within the search window - the numbers are wrong because its summing from all the events rather than a single event, if i do a timechart then my data is "wrong"
i could set my timechart span to equal the polling time of the data to get only 1 event in each bucket but that seems hacky at best and probably won't scale to long time ranges?
I'm guessing i need to process the arrays into a single set of values per event, ideally at search time and failing that at input processing time (within the input script sending the data in) but not sure where to start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName
For timechart
your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your base search | eval sno=1 | accum sno | stats sum(backupUsage{}.billableBytes) as billableBytes by sno orgName
For timechart
your base search | eval sno=1 | accum sno | bucket span=1d _time | stats sum(backupUsage{}.billableBytes) as billableBytes by _time sno orgName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked - Kind of 🙂
i had to add | fields -sno to either search and also make sure my base search only returned one orgName value in all the events for it to graph "right" i'm sure with additional processing i can correctly split the series for the case of multiple orgNames
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
