Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Search help - how to use "group by"?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ramesharavinth
New Member
09-05-2017
12:23 AM
Hi, I have two JSON files like below,
File Name: report_15_8_2017_json.json
{
"reportSummary": {
"testMethodsSummary": {
"passed": 450,
"failed": 32,
"skipped": 0
},
"authorTestSummary": [
{
"authorName": "PONNI NATARAJAN",
"passed": 12,
"failed": 0,
"skipped": 0,
"total": 12,
"passRate": "100"
},
..............
FileName: **report_22_8_2017_json.json**
{
"reportSummary": {
"testMethodsSummary": {
"passed": 448,
"failed": 32,
"skipped": 0
},
"authorTestSummary": [
{
"authorName": "PONNI NATARAJAN",
"passed": 8,
"failed": 2,
"skipped": 0,
"total": 12,
"passRate": "66.6"
},
..........
I want to group by the "authorTestSummary.authorName" and count the "passed" field from both the files and create a chart for the
timeline(filename) Author Name Passed(count)
15_8_2017 PONNI NATARAJAN 8
22_8_2017 PONNI NATARAJAN 12
15_8_2017 MICHAEL CARD 4
22_8_2017 MICHAEL CARD 6
......
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-05-2017
04:18 AM
Like this:
|makeresults | eval raw="File Name: report_15_8_2017_json.json
{
\"reportSummary\": {
\"testMethodsSummary\": {
\"passed\": 450,
\"failed\": 32,
\"skipped\": 0
},
\"authorTestSummary\": [
{
\"authorName\": \"PONNI NATARAJAN\",
\"passed\": 12,
\"failed\": 0,
\"skipped\": 0,
\"total\": 12,
\"passRate\": \"100\"
}:::File Name: report_22_8_2017_json.json
{
\"reportSummary\": {
\"testMethodsSummary\": {
\"passed\": 448,
\"failed\": 32,
\"skipped\": 0
},
\"authorTestSummary\": [
{
\"authorName\": \"PONNI NATARAJAN\",
\"passed\": 8,
\"failed\": 2,
\"skipped\": 0,
\"total\": 12,
\"passRate\": \"66.6\"
}"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "File Name: (?<source>\S+)\s"
| rex mode=sed "s/^File Name: \S+\s//"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex field=source "report_(?<_time>\d+_\d+_\d+)_json.json"
| eval _time = strptime(_time, "%d_%m_%Y")
| spath
| rename reportSummary.* AS *
| rename *{}* AS **
| timechart first(authorTestSummary.passRate) AS authorTestSummary.passRate BY authorTestSummary.authorName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-05-2017
04:18 AM
Like this:
|makeresults | eval raw="File Name: report_15_8_2017_json.json
{
\"reportSummary\": {
\"testMethodsSummary\": {
\"passed\": 450,
\"failed\": 32,
\"skipped\": 0
},
\"authorTestSummary\": [
{
\"authorName\": \"PONNI NATARAJAN\",
\"passed\": 12,
\"failed\": 0,
\"skipped\": 0,
\"total\": 12,
\"passRate\": \"100\"
}:::File Name: report_22_8_2017_json.json
{
\"reportSummary\": {
\"testMethodsSummary\": {
\"passed\": 448,
\"failed\": 32,
\"skipped\": 0
},
\"authorTestSummary\": [
{
\"authorName\": \"PONNI NATARAJAN\",
\"passed\": 8,
\"failed\": 2,
\"skipped\": 0,
\"total\": 12,
\"passRate\": \"66.6\"
}"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "File Name: (?<source>\S+)\s"
| rex mode=sed "s/^File Name: \S+\s//"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex field=source "report_(?<_time>\d+_\d+_\d+)_json.json"
| eval _time = strptime(_time, "%d_%m_%Y")
| spath
| rename reportSummary.* AS *
| rename *{}* AS **
| timechart first(authorTestSummary.passRate) AS authorTestSummary.passRate BY authorTestSummary.authorName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ramesharavinth
New Member
09-05-2017
06:06 AM
Thanks woodcock it works for single authorName with raw json data.
How to do this using the source(eg; source="report_*"), so that it will pick up all the source files. Also if how to do the create the time chart when i have multiple author name, and not just one name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-05-2017
06:43 AM
As long as each author is in a separate event, it should work as-is.
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
