How to convert JSON with multiple values for same ...

ankithreddy777 · ‎11-12-2019

I have a sample JSON object containing multiple values for same metric_name which is CPU_usage. How to convert it in to multiple metric points whose metric name is same i.e CPU_usage.

samplejson: [ [-]
{ [-]
epochtime: 1573532862
value: 5.29
}
{ [-]
epochtime: 1573532562
value: 5.34
}

woodcock · ‎11-17-2019

This is best done using jquery tool before it comes into Splunk. The king of jquery and splunk is @mmodestino_splunk so maybe he will also comment.

to4kawa · ‎11-17-2019

| makeresults
| eval _raw="{ \"samplejson\": [
{
\"epochtime\": 1573532862,
\"value\": 5.29
}, {
\"epochtime\": 1573532562,
\"value\": 5.34
} ] }"
| spath
`comment("this is sample data")`
| eval raw=mvzip('samplejson{}.epochtime','samplejson{}.value')
| table raw
| mvexpand raw
| rex field=raw "(?<_time>[^,]+),(?<CPU_Usage>.+)"

Hi, how about this?

ankithreddy777 · ‎11-17-2019

Hi @to4kawa , I am looking to break events at index time and convert to metric points to store data in metric index

to4kawa · ‎11-17-2019

OK. I don’t know. I'm sorry.

How to convert JSON with multiple values for same metric name in to metric points

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

Are you a member of the Splunk Community?

How to convert JSON with multiple values for same metric name in to metric points

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase