Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plotting bar chart X axis are JSON keys and Y axis are length of JSON values

oKeNiDJE
Engager
‎07-22-2021 04:40 AM

Hi

I have the following JSON object.

I would like to be able to ultimately create a bar chart with the following:

 

X-Axis: Animal type ie dog, cat, chicken.....

Y-Axis: The length of animal's array, this example, dog=2 cat=3 chicken=1

 

 

{
	"data": {
		"animals": {
			"dog": [{"name": "rex", "id": 1}, {"name": "tom", "id": 2}],
			"cat": [{"name": "rex", "id": 3}, {"name": "tom", "id": 4}, {"name": "sam", "id": 5}],
			"chicken": [{"name": "rex", "id": 6}]
		}
	}
}

 

 

 

I'm new to Splunk so apologies but I'm not sure where to even begin

 

Thanks in advance for any help

Labels (1)
Labels
0 Karma
Reply

oKeNiDJE
Engager
‎07-22-2021 03:11 PM

This has been super helpful @kamlesh_vaghela ! Thank you so much

 

Say if you had a JSON object however and didn't want to convert it to a string and use rex, would that be possible?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 09:34 PM

@oKeNiDJE 

That you need to POC and check 😅.  Coz, Splunk ingest characters / text format and if you ingest Json object then Splunk might be ingest represented value of that object and that might be invalid data for as. 

Splunk need valid json string for auto discovery of fields.

So here I suggest keep it in converted string format and use rex for our requirements . 😊

 

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

oKeNiDJE
Engager
‎07-22-2021 08:40 AM

Thanks @kamlesh_vaghela . That would work yes,  however, I need the search query to be dynamic because I don't know the keys ahead of time. 

Any idea on how to do this?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 09:06 AM

@oKeNiDJE 

I have updated my answer. Can you please check it?

KV

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 06:49 AM

@oKeNiDJE 

Can you please try this?

 

 

YOUR_SEARCH 
| rex field=_raw "\"(?<animal>\w+)\":\s\[(?<arr>[^\]]*])" max_match=0
| eval t=mvzip(animal,arr,"|")
|stats count by t
| eval animal=mvindex(split(t,"|"),0),arr="[".mvindex(split(t,"|"),1) |fields - t, count
| rex field=arr "\"id\":\s(?<ids>\d)" max_match=0|eval count=mvcount(ids) 
| table animal count

 

 

 

My Sample Search :

 

 

| makeresults | eval _raw="{\"data\": {\"animals\": {\"dog\": [{\"name\": \"rex\", \"id\": 1}, {\"name\": \"tom\", \"id\": 2}],\"cat\": [{\"name\": \"rex\", \"id\": 3}, {\"name\": \"tom\", \"id\": 4}, {\"name\": \"sam\", \"id\": 5}],\"chicken\": [{\"name\": \"rex\", \"id\": 6}]}}}" 
| rex field=_raw "\"(?<animal>\w+)\":\s\[(?<arr>[^\]]*])" max_match=0
| eval t=mvzip(animal,arr,"|")
|stats count by t
| eval animal=mvindex(split(t,"|"),0),arr="[".mvindex(split(t,"|"),1) |fields - t, count
| rex field=arr "\"id\":\s(?<ids>\d)" max_match=0|eval count=mvcount(ids) 
| table animal count

 

 

 

 

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
 

Preview file
93 KB
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...