Splunk Search

How to create a timechart plotting average values for nested JSON data?

paulwrussell
Explorer

I am receiving JSON into Splunk in the following format. I'm trying to figure out how I can do searches to plot average values for this nested data. I need to be able to plot a line for each node over time, but I also need to be able to plot the average value for all nodes within a gateway over time. I don't know if I should be splitting up this data into multiple events as it comes into Splunk or whether my search should normalize all nodes to a common name as the id is in the data, and then try to split it up. Are there other options I haven't thought of yet?

The list of nodes is a dynamic list, so I can't hardcode these node ids.

gateway: "gateway1",
nodes: { 
     1002: { 
        id:  1002 
     } 
     11: {
         id:  11 
         value:  100
     } ,
     14: {
         id:  11 
         value:  120
     } 
}

Help is really appreciated.

0 Karma

jkat54
SplunkTrust
SplunkTrust

First off, the json is not valid. it only validates after I edit it to look like this:

{
    "gateway": "gateway1",
    "nodes": {
        "1002": {
            "id": 1002,
            "value": 100
        },
        "11": {
            "id": 11,
            "value": 100
        },
        "14": {
            "id": 14,
            "value": 120
        }
    }
}

Once i have it indexed with correct syntax, and sourcetype=_json, the following search works:

 ...| timechart avg(nodes.*.value) AS *.value | addtotals

You'll have to do a separate timechart for each gateway though... good use case for a dashboard with drop down selector, etc.

0 Karma

sundareshr
Legend
0 Karma

shawny2005
Path Finder

spunk seriously needs some help in this place. being able to utilize nested jsons would be really useful. right now it kind sucks.

0 Karma

sundareshr
Legend

Great. Use this to build your timechart, after you have extracted the fields. In this example, I am going to use rex (you may have to tweak the regex for your data)

.... | rex max_match=0 "id:\s(?<id>\s)" | rex max_match=0 "value:\s(?<value>\d+)" | eval z=mvzip(id, value) | mvexpand z | rex field=z "(?<id>\d+),(?<value>\d+) | timechart avg(value) as average by id
0 Karma

paulwrussell
Explorer

yes ive looked at it. i can turn into string and use rex to remove outside node ids. but not sure what to do after that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...