Splunk Search

Plotting Each element of a Json

rai4shambhavi
Explorer

so my log lines look something like this

<<METRIC-START>>{"A":332,"B":45,"C":67,"D":23,"E":234,"F":435,"G":43,"H":66,"I":32,"J":67,"K":21,"L":678,"M":45,"N":56}<<METRIC-END>>

It is in form of a Json and I am able to extract the fields along with time using this

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics

now I wish to plot A,B,C,D as timecharts, so I will have to give this command

| timechart span=1h
max(A) as A,
max(B) as B....till Z


So the whole query works fine but I wanted to know if there is anyshort way of doing it


| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| timechart span=1h
max(A) as A,
max(B) as B....till Z


Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Given that you only appear to be interested in the fields in importMetrics, you can remove the other fields and then use wildcards

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| fields - line importMetrics
| timechart span=1h max(*) as *

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Given that you only appear to be interested in the fields in importMetrics, you can remove the other fields and then use wildcards

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| fields - line importMetrics
| timechart span=1h max(*) as *

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!