- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- How can I extract multiple events from a single j...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I extract multiple events from a single json api reply, without duplicating from previous api replies that include the same event?
I'm querying an api that gives me the last 10 payment events (unfortunately I can't cut this down). I want to chart or graph the payments over time, without duplicating payments that appear in more than one query.
Each api reply has json like this. I've cut it down 3 events per api response to make things easier here. Note there's only 4 unique payments across both example json responses below, as tracked by txnHash. ts is unix time.
Is this possible?
sample 1
[
{"pt":"pplns",
"ts":1519043779,
"amount":316,
"txnHash":"5e8a3f",
"mixin":12
},
{"pt":"pplns",
"ts":1519041972,
"amount":510,
"txnHash":"a1808c",
"mixin":12
},
{"pt":"pplns",
"ts":1519038361,
"amount":108,
"txnHash":"e6c116",
"mixin":12
}
[
sample 2
[
{"pt":"pplns",
"ts":1519046691,
"amount":200,
"txnHash":"586752",
"mixin":12
},
{"pt":"pplns",
"ts":1519043779,
"amount":316,
"txnHash":"5e8a3f",
"mixin":12
},
{"pt":"pplns",
"ts":1519041972,
"amount":510,
"txnHash":"a1808c",
"mixin":12
}
[
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using "|spath path={}.amount |spath path={}.ts |spath path={}.txnHash " to get the fields out of the json, (but I suspect they are all mixed up, and no longer in their parings. )
after that, I add "| eval temp=mvzip(amount,mvzip(txnHash,ts,"##"),"##")" ( I cut this down to only the fields I need. I assume the order doesn't make a difference?
But I get no results.
My base search gives the events, eg, sample1, sample2. bit not the fields unless I take further action. What's the best way to extract them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (assuming Splunk do realize it's json and does the field extraction accordingly)
your base search giving fields pt ts amount txnHash mixin
| eval temp=mvzip(pt,mvzip(ts,mvzip(amount,mvzip(txnHash,mixin,"##"),"##"),"##"),"##")
| table temp | mvexpand temp
| rex field=temp "(?<pt>.+)##(?<ts>.+)##(?<amount>.+)##(?<txnHash>.+)##(?<mixin>.+)"
| dedup txnHash | eval _time=strptime(tx,"%s")
| timechart span=1d sum(amount) as TotalAmount
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
