Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get latest events of json and visualize it to table.

alexeysharkov
Path Finder
‎10-04-2023 12:32 AM

Hello friends!

I get JSON like this

{"key":"27.09.2023","value_sum":35476232.82,"value_cnt":2338}

and so on

...

[-]
   key: 29.09.2023
   value_cnt: 2736

   value_sum: 51150570.59
}

аnd row_source like this

10/4/23
1:23:03.000 PM
 
{"key":"27.09.2023","value_sum":35476232.82,"value_cnt":2338}
Show syntax highlighted

 

And i want to get table like this:

dayssumcnt
27.09.202335476232.822338
29.09.202351150570.592736

 

so i have to get latest events and put it to table.

Please help

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 01:22 AM 
| stats latest(value_sum) ,latest(value_cnt) by key

View solution in original post

Reply
Solved! Jump to solution

alexeysharkov
Path Finder
‎10-04-2023 01:17 AM

Sorry i forget to write very important things

I have many events with the same key 

for example:

10/4/23
1:23:03.000 PM
 
{"key":"27.09.2023","value_sum":35476232.82,"value_cnt":2338}
Show syntax highlighted
10/4/23
1:24:03.000 PM
{"key":"27.09.2023","value_sum":35476232.82,"value_cnt":2338}
Show syntax highlighted
10/4/23
1:25:03.000 PM
{"key":"27.09.2023","value_sum":35476232.82,"value_cnt":2338}
Show syntax highlighted

 

...

and for other KEY  for example key":"29.09.2023" many events

 

in the result i want to see only one unique row for KEY

I try to search 

index=hcg_app_damu_prod sourcetype="damu_pays_7d" | spath input=json | table _time, key ,value_sum, value_cnt | stats latest(key), latest(value_sum) ,latest(value_cnt)

 

but it give me just only one row.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 01:22 AM 
| stats latest(value_sum) ,latest(value_cnt) by key
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 12:53 AM

Do you already have the fields extracted, or are you asking how to extract the fields so you can use them in a table?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2023 12:50 AM

This is rather confusing.  It seems that Splunk already gives you fields "key", "value_sum", and "value_cnt".  You want to rename "key" as "day", "value_sum" as "sum", "value_cnt" as "cnt".  Is that all?  Are you just looking for rename?

| rename "key" as "day", "value_sum" as "sum", "value_cnt" as "cnt"
| table day sum cnt

Something like that.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...