Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting values ​​from fields in metrics

Be_JAR
Path Finder
‎06-26-2024 06:57 AM

Hello.

I am working with opentelemetry metrics. I have a metric type index, and the format of the payload I receive is like this:

Be_JAR_0-1719410145708.png

example payload :

{"deployment.environment":"entorno-pruebas","k8s.cluster.name":"splunk-otel","k8s.namespace.name":"default","k8s.node.name":"minikube","k8s.pod.name":"my-otel-demo-emailservice-fc5bc4c5f-jxzqz","k8s.pod.uid":"5fe1ada8-8baa-4960-b873-381b475b2b26","metric_type":"Gauge","os.type":"linux","metric_name:k8s.pod.filesystem.usage":491520}

 

I need a search that retrieves the various values ​​of the k8s.pod.name field. I'm trying different variations of the search, but I can't get it:

|mstats avg(_value) as VAL WHERE index=otel_k8s_metrics metric_name="metric_name:k8s.pod.filesystem.usage*"
|spath input=_raw path=k8s.pod.name output=k8s.pod.name
|stats values(k8s.pod.name) as k8s.pod.name
|table k8s.pod.name

 

Does anyone have any idea why it doesn't work. Metrics type indexes support spath

 

I appreciate any ideas

BR 

JAR

 

Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎06-30-2024 09:51 PM

Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided:

| makeresults
| eval _raw="{
  \"deployment.environment\":\"entorno-pruebas\",
  \"k8s.cluster.name\":\"splunk-otel\",
  \"k8s.namespace.name\":\"default\",
  \"k8s.node.name\":\"minikube\",
  \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\",
  \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\",
  \"metric_type\":\"Gauge\",
  \"os.type\":\"linux\",
  \"metric_name:k8s.pod.filesystem.usage\":491520
}"
| spath
| stats values(k8s.pod.name) as k8s.pod.name

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...