Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a chart that shows the JSON coun...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_novice
New Member
06-22-2018
05:39 PM
Each line of my log has the following json construct
{ resourceUsage: [
{
cloud: AWS
count: 34
resource: EC2_INSTANCE
}
{
cloud: AWS
count: 3
resource: NAT_GATEWAY
}
]
}
I want create a time chart that shows sum (resourceUsage.count) by resourceUsage.resource eg. EC2_INSTANCE = 51, NAT_GATEWAY=25
My query which doesn't work looks like this timechart span=1d sum(resourceUsage{}.count) by resourceUsage{}.resource
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-23-2018
01:10 AM
Hi @splunk_novice,
Hope this helps.
| makeresults |eval json="{
\"resourceUsage\": [
{
\"cloud\": \"AWS\",
\"count\": 34,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 3,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 10,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 22,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 7,
\"resource\": \"EC2_INSTANCE\"
}
]
}"
| spath input=json|fields - json|rename resourceUsage{}.resource as resource,resourceUsage{}.count as count
|eval zip=mvzip(resource,count)
|fields _time,zip| mvexpand zip|eval splitted=split(zip,",")|eval resource=mvindex(splitted,0)|eval count=mvindex(splitted,1)
|table _time resource,count|timechart sum(count) by resource
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
06-23-2018
01:27 AM
<your index> | rex field=_raw "count:(?<count>.*)" max_match=0 | rex field=_raw "resource:(?<resource>.*)" max_match=0| eval count=trim(count)|eval resource=trim(resource) |eval fields = mvzip(count,resource)
| mvexpand fields
| rex field=fields "(?<count>\w+),(?<resource>\w+)"
|timechart values(count) by resource
Try this if you are not sure about your json field, ideally @renjith.nair 's solution and spath is the correct way to go about this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-23-2018
01:10 AM
Hi @splunk_novice,
Hope this helps.
| makeresults |eval json="{
\"resourceUsage\": [
{
\"cloud\": \"AWS\",
\"count\": 34,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 3,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 10,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 22,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 7,
\"resource\": \"EC2_INSTANCE\"
}
]
}"
| spath input=json|fields - json|rename resourceUsage{}.resource as resource,resourceUsage{}.count as count
|eval zip=mvzip(resource,count)
|fields _time,zip| mvexpand zip|eval splitted=split(zip,",")|eval resource=mvindex(splitted,0)|eval count=mvindex(splitted,1)
|table _time resource,count|timechart sum(count) by resource
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_novice
New Member
06-23-2018
11:55 AM
Thanks renjith, worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
06-23-2018
12:53 AM
Hi, have you tried spath - http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Spath
Get Updates on the Splunk Community!
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
