How to parse value from json event and build graph...

alexeysharkov · ‎03-28-2023

Hello gays

I have events like this, in raw text:

{"key":"Pending","value":0}

{"key":"NOT processed","value":9}

{"key":"error","value":5}

...

And so on

Every row is event

I wanna build chart with latest value of "Pending", "NOT processed", :"error"

I cannot understand how to do it

Please help

alexeysharkov · ‎03-28-2023

thanks @gcusello for your advise

I solve problem :

<search> | timechart cont=false latest(value) as Message_Count by key

gcusello · ‎03-28-2023

Hi @alexeysharkov,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

alexeysharkov · ‎03-28-2023

Thanks @gcusello for your assistance

#did you alread extracted these fields or not? #

No

gcusello · ‎03-28-2023

Hi @alexeysharkov,

in this case to give you a complete answer, I need to have some sample of your logs (complete events) to extract ields using regex.

Ciao.

Giuseppe

gcusello · ‎03-28-2023

Hi @alexeysharkov,

did you alread extracted these fields or not?

if yes, you could run something like this:

<your_search>
| stats 
   last(Pending) AS pending
   last("NOT processed") AS "NOT processed"
   last(error) AS error

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Stats

Only one additional information: these seems to be json format logs, but you have them in separated events, maybe you shuld analyze youd data and use a different parsing rule.

Ciao.

Giuseppe

How to parse value from json event and build graph?

eval

timechart

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms