Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to parse a JSON array and chart values for different components over time?

jwair
New Member
‎12-08-2016 08:28 AM

I have a periodic event with a JSON array that holds some values for different items. I would like to chart one of these values (per component) vs time

E.g.
One event would looks something like:

[
  {
    "name": "ABC",
    "data": {
      "a": 1,
      "b": 5
    }
  },
  {
    "name": "XYZ",
    "data": {
      "a": 2,
      "b": 7
    }
  }
]

The values for a and b change in consequent events, but the structure stays the same.

I would like to chart the values of 'a' for different components. A final output would look like this:
alt text

I used 'spath' to parse the JSON array, and I was able to pull the 'name' values and 'a' values, but there were two problems. I could not correlate which value corresponded to which 'name', and when I made a table of the parsed values I got all the 'name' values and all 'a' values in one row corresponding to the event. I might be taking the wrong approach here, but this is what I have:

| ...
| spath input=myField
| rename {}.name AS name, {}.data.a AS a
| table name, a

Could you please help me create the search string to make the chart described above?

chart.png
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-08-2016 11:43 AM

Give this a try

| ...
 | spath input=myField
 | rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
 | table name, a

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-08-2016 11:43 AM

Give this a try

| ...
 | spath input=myField
 | rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
 | table name, a
0 Karma
Reply
Solved! Jump to solution

jwair
New Member
‎12-16-2016 04:15 PM

Thanks, this works perfectly 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
Top