Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split columns based on timestamp and field value at the same time from JSON data?

shikhanshu
Path Finder
‎09-16-2014 05:22 PM

I have JSON data going into my Splunk index. Let's assume I am sending one JSON object array at a time through the REST API. The data looks like this:

[{'time':'timestamp1', 'block':'blockname1', type1_metric1:10, type1_metric2:20, type2_metric1:10, type2_metric2:20 },
{'time':'timestamp1', 'block':'blockname2', type1_metric1:15, type1_metric2:25, type2_metric1:15, type2_metric2:25 }]

[{'time':'timestamp2', 'block':'blockname1', type1_metric1:30, type1_metric2:40, type2_metric1:30, type2_metric2:40 },
{'time':'timestamp2', 'block':'blockname2', type1_metric1:35, type1_metric2:45, type2_metric1:35, type2_metric2:45 }]
...

For a given "metric type prefix" (like type1 or type2), I want to get a search result like this:

                   blockname1                    blockname2
             timestamp1   timestamp2      timestamp1    timestamp2
type1_metric1   10      30                 15           35
type1_metric2   20      40                 25           45

I am fairly new to Splunk Query language and this looks like its going to be a fairly complex query and I am at loss where to even begin.

Can someone help!? Cookies to anyone who can! (I will zip up my browser cookies and mail them to you, I swear!)

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2014 03:27 PM

Are the field extraction configured? Means are you getting following fields - block time type1_metric1 type1_metric2 type2_metric1 type2_metric2

If you are getting fields like that then try this

your base search giving fields  block   time type1_metric1 type1_metric2 type2_metric1 type2_metric2 | eval column=time."-".block | fields - time block | untable column metrics value | chart sum(value) over metrics by column

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2014 03:27 PM

Are the field extraction configured? Means are you getting following fields - block time type1_metric1 type1_metric2 type2_metric1 type2_metric2

If you are getting fields like that then try this

your base search giving fields  block   time type1_metric1 type1_metric2 type2_metric1 type2_metric2 | eval column=time."-".block | fields - time block | untable column metrics value | chart sum(value) over metrics by column
Reply
Solved! Jump to solution

shikhanshu
Path Finder
‎09-22-2014 04:10 PM

You are a genius! You gave me exactly what I needed. How can I make your comment as the "Answer"?

Reply
Solved! Jump to solution

ppablo
Retired
‎09-22-2014 04:42 PM

Hi @shikhanshu

I just converted @somesoni2's comment to an answer 🙂 be sure to accept the answer by clicking on the Accept button. You'll both receive karma points. Glad you got a solution!

Patrick

0 Karma
Reply
Solved! Jump to solution

shikhanshu
Path Finder
‎09-17-2014 08:00 AM

I have tried "transpose" and that gives the metrics as rows, but I am unable to split a "block" based on "time". Each event shows up as a separate column (which is expected I guess)

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top