Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to select just JSON properties and display it on a chart?

gcescatto
New Member
‎08-16-2017 06:46 AM

How can I select the JSON properties and display them on a bar chart? Not their value, but their name. I need to build a bar chart similar to this one above, where the X axis is the different NAMES of JSON properties, the Y axis is the COUNT of each JSON propertie's values (there are three options: true, false and missing) and the colors must be the JSON properties values.

alt text

The json I have is:
JsonData="{
"Uniformance_Oracle_Access":"True"
"FACTS_Access":"True"
"Oracle_GG":"False"}"

So far I was just able to display the values in the colors and do a Y-axis correctly, but the X-axis has been a real problem.

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-19-2017 07:58 AM

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG 

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-19-2017 07:58 AM

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG 

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gcescatto
New Member
‎08-21-2017 04:48 AM

The colors that should be only "True", "False" or "Missing" are displaying "True" and "Field". I'm trying to fix this. But the table displayed seems correct. Thank you (:

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-21-2017 05:00 AM

@gcescatto, I have converted my comment to answer. Please accept to mark the question as Answered. Please let us know if further help is required!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gcescatto
New Member
‎08-21-2017 06:41 AM

Could you please help me change places "Field" and "True"?
The table is correct, but the chart needs to be with "Field" at the X axis and "True" and "False" like colors. Sorry to bother, I'm new in Splunk.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-16-2017 09:23 PM

Where do you get the value for each of the columns? It is not present in your sample JSON

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gcescatto
New Member
‎08-18-2017 04:20 PM

The values are "True" and "False". It comes from PowerShell scripts that store data in the database. So, my application is a dbconnect application.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...