Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a timechart plotting average values for nested JSON data?

paulwrussell
Explorer
‎05-21-2016 10:50 PM

I am receiving JSON into Splunk in the following format. I'm trying to figure out how I can do searches to plot average values for this nested data. I need to be able to plot a line for each node over time, but I also need to be able to plot the average value for all nodes within a gateway over time. I don't know if I should be splitting up this data into multiple events as it comes into Splunk or whether my search should normalize all nodes to a common name as the id is in the data, and then try to split it up. Are there other options I haven't thought of yet?

The list of nodes is a dynamic list, so I can't hardcode these node ids. 

gateway: "gateway1",
nodes: { 
     1002: { 
        id:  1002 
     } 
     11: {
         id:  11 
         value:  100
     } ,
     14: {
         id:  11 
         value:  120
     } 
}

Help is really appreciated.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 10:43 AM

First off, the json is not valid. it only validates after I edit it to look like this:

{
    "gateway": "gateway1",
    "nodes": {
        "1002": {
            "id": 1002,
            "value": 100
        },
        "11": {
            "id": 11,
            "value": 100
        },
        "14": {
            "id": 14,
            "value": 120
        }
    }
}

Once i have it indexed with correct syntax, and sourcetype=_json, the following search works:

 ...| timechart avg(nodes.*.value) AS *.value | addtotals

You'll have to do a separate timechart for each gateway though... good use case for a dashboard with drop down selector, etc.

0 Karma
Reply

sundareshr
Legend
‎05-22-2016 09:16 AM

Have you looked at spath?

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Spath

0 Karma
Reply

shawny2005
Path Finder
‎08-15-2016 04:51 PM

spunk seriously needs some help in this place. being able to utilize nested jsons would be really useful. right now it kind sucks.

0 Karma
Reply

sundareshr
Legend
‎05-22-2016 03:24 PM

Great. Use this to build your timechart, after you have extracted the fields. In this example, I am going to use rex (you may have to tweak the regex for your data)

.... | rex max_match=0 "id:\s(?<id>\s)" | rex max_match=0 "value:\s(?<value>\d+)" | eval z=mvzip(id, value) | mvexpand z | rex field=z "(?<id>\d+),(?<value>\d+) | timechart avg(value) as average by id
0 Karma
Reply

paulwrussell
Explorer
‎05-22-2016 02:47 PM

yes ive looked at it. i can turn into string and use rex to remove outside node ids. but not sure what to do after that.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...