Hello all,
I'm having issues achieving to extract fields from a sample in Splunk.
I went to "extract fields", I have the first one, but I don't know how to continue.
Here the sample:
[{"Type":"Attention","ABUSE":18,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":17,"Total":36},{"Type":"Active","ABUSE":0,"GSD 24x7":22,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":2,"Total":80},{"Type":"Total","ABUSE":18,"GSD 24x7":23,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":19,"Total":116},{"Type":"P1","ABUSE":0,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":6,"Total":6},{"Type":"P2","ABUSE":0,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":10,"Total":11},{"Type":"P3\/4","ABUSE":18,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":1,"Total":19}]
From that, I would like to be able to calculate averages and sums up from the number, having two fields:
- Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...
- Type: Attention, Active...
with this in the search
| rex max_match=0 "(?<Type>((\.*:\")\w+))"|
I got the Type, but no idea on how to proceed.
Any ideas?
Thank you all in advance.
Hi
as your data seems to be valid JSON it's easiest to handle that way.
index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*
Unfortunately I'm not getting up what/how you want to calculate those values.
r. Ismo
Hi
as your data seems to be valid JSON it's easiest to handle that way.
index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*
Unfortunately I'm not getting up what/how you want to calculate those values.
r. Ismo
Hi,
It's working perfectly, thanks a lot!
What I was thinking to calculate with this.... This numbers are numbers coming before and after every shift. The simplest calculation to do should be to know the difference between the starting and ending shift. However, I've realized that this won't be that easy. Do you have any idea? If not, I will say no possible to do, I've been request this as an improvement but the main thing is working already.
Thank you!
Hi,
Thanks a lot, it looks like a table now! 🙂
This json gets data every 12 hours. What I pretend to do is to perform some stats about the difference between the one I got the last 12 hours to check difference and how the shifts are performing.
Does it makes sense? I was thinking about to send alerts by e-mail with the stats. But not sure about how I can calculate the stats.
Just ensure that you have _time to your data and then it should be work.
r. Ismo
hi @marina_rovira , add another rex for extracting team with mutivalues like
Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...
|rex max_match=0 "\"(?<team>.[\w\s]+)\":([0-9]|[0-9]+),"
Hope this helps!
Please upvote my response, if it resolves the issue.