How to convert JSON with multiple values for same ...

ankithreddy777 · ‎11-12-2019

I have a sample JSON object containing multiple values for same metric_name which is CPU_usage. How to convert it in to multiple metric points whose metric name is same i.e CPU_usage.

samplejson: [ [-]
{ [-]
epochtime: 1573532862
value: 5.29
}
{ [-]
epochtime: 1573532562
value: 5.34
}

woodcock · ‎11-17-2019

This is best done using jquery tool before it comes into Splunk. The king of jquery and splunk is @mmodestino_splunk so maybe he will also comment.

to4kawa · ‎11-17-2019

| makeresults
| eval _raw="{ \"samplejson\": [
{
\"epochtime\": 1573532862,
\"value\": 5.29
}, {
\"epochtime\": 1573532562,
\"value\": 5.34
} ] }"
| spath
`comment("this is sample data")`
| eval raw=mvzip('samplejson{}.epochtime','samplejson{}.value')
| table raw
| mvexpand raw
| rex field=raw "(?<_time>[^,]+),(?<CPU_Usage>.+)"

Hi, how about this?

ankithreddy777 · ‎11-17-2019

Hi @to4kawa , I am looking to break events at index time and convert to metric points to store data in metric index

to4kawa · ‎11-17-2019

OK. I don’t know. I'm sorry.

How to convert JSON with multiple values for same metric name in to metric points

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]