Splunk Search

How to chart a list of key value pairs

Tom1187
Path Finder

Hi there, I am using Splunk's REST API Modular Input to input data from Apache Solr.
Once a day a facet query is sent to Solr, and solr returns a JSON that is indexed to splunk.

The JSON contains a list of key value pair, the key is a name, and the value is a count of how many times does this name found in Solr.
the log looks like this:

"123" , "987"               , "234" , "876"               , "345" ,  "765"

What I need to do is build a timechart based on the value.
The truth is- I'm pretty lost. I searched and saw a lot of answers that suggested using regex, but i'm not sure how to use it in this case, and how to use this to build this chart.

Any help will be appreciated. Thanks

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Tom1187,

if the fields are not extracted already, you can have a look at this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html and do it using props.conf and transforms.conf

In your case you would need this regex to match:

  REGEX = "([^"]+)"\s+,\s+"([^"]+)"     

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Tom1187,

if the fields are not extracted already, you can have a look at this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html and do it using props.conf and transforms.conf

In your case you would need this regex to match:

  REGEX = "([^"]+)"\s+,\s+"([^"]+)"     

Hope this helps ...

cheers, MuS

0 Karma

Tom1187
Path Finder

Hi, thanks fro commenting.
for some reason, I had problem using the props.conf and transforms.conf .
Both file were configured to used a working regex (your regex was great, just had to tweak it so it will work on a json), yet it didn't extracted the fields.
In the splunk web page, under the fields extraction manager I saw both of the fields I tried to extract, yet when I searched they weren't extracted.
I tried also to create an extraction using the "add field extraction" in the splunk webpage, which work- well, not exactly. Instead of extracting all of the key values, it only extracted the first value.

Because of a dead line I was forced to try a fast and simple solution- I'm using rex on every search. Its not ideal, but its working.
I still need to bar chart/ column chart the two fields, but I'll try to do this my own.

thanks for your help! really appreciate that!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What type of chart you want to create and what aggregation you want to do with values? Are the fields already extracted by Splunk?

0 Karma

Tom1187
Path Finder

I want to create a basic line chart, it will only use to see the count of every name.
I'm not sure how to extract fields so I guess not

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can run a search to fetch your data in Smart or Verbose mode and check the left hand field side bar if they are present. If not, then can you share a full sample event?

0 Karma

Tom1187
Path Finder

I'll try and I will update. In the meantime- thanks for commenting!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...