How to convert JSON with multiple values for same ...

ankithreddy777 · ‎11-12-2019

I have a sample JSON object containing multiple values for same metric_name which is CPU_usage. How to convert it in to multiple metric points whose metric name is same i.e CPU_usage.

samplejson: [ [-]
{ [-]
epochtime: 1573532862
value: 5.29
}
{ [-]
epochtime: 1573532562
value: 5.34
}

woodcock · ‎11-17-2019

This is best done using jquery tool before it comes into Splunk. The king of jquery and splunk is @mmodestino_splunk so maybe he will also comment.

to4kawa · ‎11-17-2019

| makeresults
| eval _raw="{ \"samplejson\": [
{
\"epochtime\": 1573532862,
\"value\": 5.29
}, {
\"epochtime\": 1573532562,
\"value\": 5.34
} ] }"
| spath
`comment("this is sample data")`
| eval raw=mvzip('samplejson{}.epochtime','samplejson{}.value')
| table raw
| mvexpand raw
| rex field=raw "(?<_time>[^,]+),(?<CPU_Usage>.+)"

Hi, how about this?

ankithreddy777 · ‎11-17-2019

Hi @to4kawa , I am looking to break events at index time and convert to metric points to store data in metric index

to4kawa · ‎11-17-2019

OK. I don’t know. I'm sorry.

How to convert JSON with multiple values for same metric name in to metric points

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How to convert JSON with multiple values for same metric name in to metric points

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside