Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a timechart plotting average values for nested JSON data?

paulwrussell
Explorer
‎05-21-2016 10:50 PM

I am receiving JSON into Splunk in the following format. I'm trying to figure out how I can do searches to plot average values for this nested data. I need to be able to plot a line for each node over time, but I also need to be able to plot the average value for all nodes within a gateway over time. I don't know if I should be splitting up this data into multiple events as it comes into Splunk or whether my search should normalize all nodes to a common name as the id is in the data, and then try to split it up. Are there other options I haven't thought of yet?

The list of nodes is a dynamic list, so I can't hardcode these node ids. 

gateway: "gateway1",
nodes: { 
     1002: { 
        id:  1002 
     } 
     11: {
         id:  11 
         value:  100
     } ,
     14: {
         id:  11 
         value:  120
     } 
}

Help is really appreciated.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 10:43 AM

First off, the json is not valid. it only validates after I edit it to look like this:

{
    "gateway": "gateway1",
    "nodes": {
        "1002": {
            "id": 1002,
            "value": 100
        },
        "11": {
            "id": 11,
            "value": 100
        },
        "14": {
            "id": 14,
            "value": 120
        }
    }
}

Once i have it indexed with correct syntax, and sourcetype=_json, the following search works:

 ...| timechart avg(nodes.*.value) AS *.value | addtotals

You'll have to do a separate timechart for each gateway though... good use case for a dashboard with drop down selector, etc.

0 Karma
Reply

sundareshr
Legend
‎05-22-2016 09:16 AM

Have you looked at spath?

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Spath

0 Karma
Reply

shawny2005
Path Finder
‎08-15-2016 04:51 PM

spunk seriously needs some help in this place. being able to utilize nested jsons would be really useful. right now it kind sucks.

0 Karma
Reply

sundareshr
Legend
‎05-22-2016 03:24 PM

Great. Use this to build your timechart, after you have extracted the fields. In this example, I am going to use rex (you may have to tweak the regex for your data)

.... | rex max_match=0 "id:\s(?<id>\s)" | rex max_match=0 "value:\s(?<value>\d+)" | eval z=mvzip(id, value) | mvexpand z | rex field=z "(?<id>\d+),(?<value>\d+) | timechart avg(value) as average by id
0 Karma
Reply

paulwrussell
Explorer
‎05-22-2016 02:47 PM

yes ive looked at it. i can turn into string and use rex to remove outside node ids. but not sure what to do after that.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...