Solved: How to chart a list of key value pairs

Tom1187 · ‎04-10-2017

Hi there, I am using Splunk's REST API Modular Input to input data from Apache Solr.
Once a day a facet query is sent to Solr, and solr returns a JSON that is indexed to splunk.

The JSON contains a list of key value pair, the key is a name, and the value is a count of how many times does this name found in Solr.
the log looks like this:

"123" , "987"               , "234" , "876"               , "345" ,  "765"

What I need to do is build a timechart based on the value.
The truth is- I'm pretty lost. I searched and saw a lot of answers that suggested using regex, but i'm not sure how to use it in this case, and how to use this to build this chart.

Any help will be appreciated. Thanks

MuS · ‎04-10-2017

Hi Tom1187,

if the fields are not extracted already, you can have a look at this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html and do it using props.conf and transforms.conf

In your case you would need this regex to match:

  REGEX = "([^"]+)"\s+,\s+"([^"]+)"

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎04-10-2017

Hi Tom1187,

if the fields are not extracted already, you can have a look at this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html and do it using props.conf and transforms.conf

In your case you would need this regex to match:

  REGEX = "([^"]+)"\s+,\s+"([^"]+)"

Hope this helps ...

cheers, MuS

Tom1187 · ‎04-16-2017

Hi, thanks fro commenting.
for some reason, I had problem using the props.conf and transforms.conf .
Both file were configured to used a working regex (your regex was great, just had to tweak it so it will work on a json), yet it didn't extracted the fields.
In the splunk web page, under the fields extraction manager I saw both of the fields I tried to extract, yet when I searched they weren't extracted.
I tried also to create an extraction using the "add field extraction" in the splunk webpage, which work- well, not exactly. Instead of extracting all of the key values, it only extracted the first value.

Because of a dead line I was forced to try a fast and simple solution- I'm using rex on every search. Its not ideal, but its working.
I still need to bar chart/ column chart the two fields, but I'll try to do this my own.

thanks for your help! really appreciate that!

somesoni2 · ‎04-10-2017

What type of chart you want to create and what aggregation you want to do with values? Are the fields already extracted by Splunk?

Tom1187 · ‎04-10-2017

I want to create a basic line chart, it will only use to see the count of every name.
I'm not sure how to extract fields so I guess not

somesoni2 · ‎04-10-2017

You can run a search to fetch your data in Smart or Verbose mode and check the left hand field side bar if they are present. If not, then can you share a full sample event?

Tom1187 · ‎04-10-2017

I'll try and I will update. In the meantime- thanks for commenting!

How to chart a list of key value pairs

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?