Solved: Re: Plotting Each element of a Json

rai4shambhavi · ‎09-15-2021

so my log lines look something like this

<<METRIC-START>>{"A":332,"B":45,"C":67,"D":23,"E":234,"F":435,"G":43,"H":66,"I":32,"J":67,"K":21,"L":678,"M":45,"N":56}<<METRIC-END>>

It is in form of a Json and I am able to extract the fields along with time using this

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics

now I wish to plot A,B,C,D as timecharts, so I will have to give this command

| timechart span=1h
max(A) as A,
max(B) as B....till Z

So the whole query works fine but I wanted to know if there is anyshort way of doing it

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| timechart span=1h
max(A) as A,
max(B) as B....till Z

ITWhisperer · ‎09-15-2021

Given that you only appear to be interested in the fields in importMetrics, you can remove the other fields and then use wildcards

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| fields - line importMetrics
| timechart span=1h max(*) as *

View solution in original post

ITWhisperer · ‎09-15-2021

Given that you only appear to be interested in the fields in importMetrics, you can remove the other fields and then use wildcards

| rex field=line "(?<=<<METRIC-START>>)(?<importMetrics>.*)(?=<<METRIC-END>>)"
| spath input=importMetrics
| fields - line importMetrics
| timechart span=1h max(*) as *

Plotting Each element of a Json

timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor