Splunk Search

How to select just JSON properties and display it on a chart?

New Member

How can I select the JSON properties and display them on a bar chart? Not their value, but their name. I need to build a bar chart similar to this one above, where the X axis is the different NAMES of JSON properties, the Y axis is the COUNT of each JSON propertie's values (there are three options: true, false and missing) and the colors must be the JSON properties values.

alt text

The json I have is:
JsonData="{
"Uniformance_Oracle_Access":"True"
"FACTS_Access":"True"
"Oracle_GG":"False"}"

So far I was just able to display the values in the colors and do a Y-axis correctly, but the X-axis has been a real problem.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

New Member

The colors that should be only "True", "False" or "Missing" are displaying "True" and "Field". I'm trying to fix this. But the table displayed seems correct. Thank you (:

0 Karma

SplunkTrust
SplunkTrust

@gcescatto, I have converted my comment to answer. Please accept to mark the question as Answered. Please let us know if further help is required!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Could you please help me change places "Field" and "True"?
The table is correct, but the chart needs to be with "Field" at the X axis and "True" and "False" like colors. Sorry to bother, I'm new in Splunk.

0 Karma

SplunkTrust
SplunkTrust

Where do you get the value for each of the columns? It is not present in your sample JSON

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

The values are "True" and "False". It comes from PowerShell scripts that store data in the database. So, my application is a dbconnect application.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!