Solved: How to chart and compare memory usage of my JSON d...

suarezry · ‎01-26-2017

I've got an interesting JSON:

{"timeStamp":"2017-01-26 23:59","name":"myVM1","counter":"mem.usage.average","description":"Memory usage as percentage of total configured or available memory","unit":"%","values":{"2017-01-26 10:00":"8.99","2017-01-26 09:55":"19.39","2017-01-26 09:50":"7.99"}}
{"timeStamp":"2017-01-26 23:59","name":"myVM2","counter":"mem.usage.average","description":"Memory usage as percentage of total configured or available memory","unit":"%","values":{"2017-01-26 10:00":"33.11","2017-01-26 09:55":"42.12","2017-01-26 09:50":"23.32"}}

The key is the timestamps. Can someone please provide the syntax to chart the two so I can compare memory usage? Thanks!

somesoni2 · ‎01-26-2017

Assuming fields are all extracted, try like this

your base search | table name values* | untable name timestamp value | eval _time=strptime(timestamp,"values.%Y-%m-%d %H:%M") | timechart avg(value) by name

View solution in original post

somesoni2 · ‎01-26-2017

Assuming fields are all extracted, try like this

your base search | table name values* | untable name timestamp value | eval _time=strptime(timestamp,"values.%Y-%m-%d %H:%M") | timechart avg(value) by name

suarezry · ‎01-26-2017

thank you! Exactly what I needed!

javiergn · ‎01-26-2017

I've tried to replicate your question in my lab and I came up with the following. Let me know if it helps:

| makeresults
| fields - _time
| eval raw = "
    {\"timeStamp\":\"2017-01-26 23:59\",\"name\":\"myVM1\",\"counter\":\"mem.usage.average\",\"description\":\"Memory usage as percentage of total configured or available memory\",\"unit\":\"%\",\"values\":{\"2017-01-26 10:00\":\"8.99\",\"2017-01-26 09:55\":\"19.39\",\"2017-01-26 09:50\":\"7.99\"}}
    ;
    {\"timeStamp\":\"2017-01-26 23:59\",\"name\":\"myVM2\",\"counter\":\"mem.usage.average\",\"description\":\"Memory usage as percentage of total configured or available memory\",\"unit\":\"%\",\"values\":{\"2017-01-26 10:00\":\"33.11\",\"2017-01-26 09:55\":\"42.12\",\"2017-01-26 09:50\":\"23.32\"}}
"
| eval raw = split(raw, ";")
| mvexpand raw
| spath input=raw path=name output=name
| spath input=raw path=values output=timevalues
| rex field=timevalues max_match=0 "(?<pairs>\"\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\"\:\"[\d\.]+\")"
| mvexpand pairs
| rex field=pairs "\"(?<time>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2})\"\:\"(?<value>[\d\.]+)\""
| eval _time = strptime(time, "%Y-%m-%d %H:%M")
| timechart span=5m first(value) as value by name

Output: see pictures below

suarezry · ‎01-26-2017

Sorry, forgot to add that Splunk is already correctly parsing these events as JSON

somesoni2 · ‎01-26-2017

Compare usage of both VMs at a give instance? The values contains multiple recording of memory usage, so you want to plot all of 3?

suarezry · ‎01-26-2017

yes please, all three in a chart

How to chart and compare memory usage of my JSON data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation