Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Creating dashboard with 4 columns

shenoyveer
Path Finder
‎09-12-2024 09:28 PM

Hi Team,

I am sending json data to Splunk server and I want to create a dashboard out of it.

My data is in the below format and I need help in creating the dashboard out of it.

 

example:

{"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.

 

my dashboard should look like,

reposcountactivecount
new-repo2yes17
new-repo-230no10
new-one-315yes0
old-repo10yes23
my-repo10no15

 

I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard.

can someone help?

 

Thanks,

Veeresh Shenoy

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shenoyveer
Path Finder
‎09-16-2024 04:53 AM

I got the query that we need to use dedup 

thanks anyway.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

shenoyveer
Path Finder
‎09-13-2024 03:17 AM

Thank you soo much @ITWhisperer 

this worked for me 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 12:45 AM

Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract the fields. Note that you can't have two columns / fields with the same name as you have shown

| spath value{} output=value
| mvexpand value
| rex field=value "(?<repos>[^:]+):\s*(?<count>\d+):\s*(?<active>\w+):\s*(?<othercount>\d+)"
| table repos count active othercount
Reply
Solved! Jump to solution

shenoyveer
Path Finder
‎09-16-2024 04:47 AM

This query worked but I have found one issue that its taking duplicate values in dashboard if we run it again

is there any way that we can avoid old value if we run multiple times in lesser time?

 

0 Karma
Reply
Solved! Jump to solution
Solution

shenoyveer
Path Finder
‎09-16-2024 04:53 AM

I got the query that we need to use dedup 

thanks anyway.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...