Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract JSON data to chart

ndkhoiits
Explorer
‎06-24-2014 02:21 AM

Today, I have to create a chart from log in json format. The log is something like that:

Expired token in next 3 days {"data":[{"date":"2014-06-25","Site1":100,"Site2":23,"Site3":133},{"date":"2014-06-26","Site1":200,"Site2":223,"Site3":232},{"date":"2014-06-24","Site1":150,"Site2":342,"Site3":422}]}

Output should be a chart (column chart) which contains information about date and number of expired token for each site

The log will show the list of expire token from 3 sites for next 3 days. The json format can be changed to whatever for suitable.

Anyone please help to give me any suggestion.

Tags (3)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-24-2014 02:48 AM

Hi ndkhoiits,

take a look at the docs about the spath command example 3, this will show you how to use spath on JSON logs.

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-24-2014 03:41 AM

based on your provided data:

{"data":
[
{"date":"2014-06-25","Name":"Site1":"Count":"100"},
{"date":"2014-06-25","Name":"Site2":"Count":"23"},
{"date":"2014-06-25","Name":"Site3":"Count":"133"}
]
}

0 Karma
Reply

ndkhoiits
Explorer
‎06-24-2014 03:36 AM

Would you like to give me a clear explanation or a sample

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-24-2014 03:35 AM

still no need for mvzip because you have per date a Site1, Site2 and Site3 entry. Personally I would add a Name=Site[1|2|3] key=value pair and a count=value per date in the JSON, much easier to handle

0 Karma
Reply

ndkhoiits
Explorer
‎06-24-2014 03:31 AM

This example is my real world data

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-24-2014 03:03 AM

your sites names are Site1, Site2 and Site3 in the example JSON, so no need for mvzip... or are those site names all equal and this example is your real world data?

0 Karma
Reply

ndkhoiits
Explorer
‎06-24-2014 02:54 AM

Thanks for your answer, however in my requirement there are 3 sites which need to be included in the report, so I don't know how to use mvzip in this case

0 Karma
Reply

ndkhoiits
Explorer
‎06-24-2014 02:23 AM

The chart can be something like that
https://docs.google.com/file/d/0B_zzVMkc4PNJN1p3LU1fMGZ4cWs

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...