Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Plotting bar chart X axis are JSON keys and Y axis are length of JSON values

oKeNiDJE
Engager
‎07-22-2021 04:40 AM

Hi

I have the following JSON object.

I would like to be able to ultimately create a bar chart with the following:

 

X-Axis: Animal type ie dog, cat, chicken.....

Y-Axis: The length of animal's array, this example, dog=2 cat=3 chicken=1

 

 

{
	"data": {
		"animals": {
			"dog": [{"name": "rex", "id": 1}, {"name": "tom", "id": 2}],
			"cat": [{"name": "rex", "id": 3}, {"name": "tom", "id": 4}, {"name": "sam", "id": 5}],
			"chicken": [{"name": "rex", "id": 6}]
		}
	}
}

 

 

 

I'm new to Splunk so apologies but I'm not sure where to even begin

 

Thanks in advance for any help

Labels (1)
Labels
0 Karma
Reply

oKeNiDJE
Engager
‎07-22-2021 03:11 PM

This has been super helpful @kamlesh_vaghela ! Thank you so much

 

Say if you had a JSON object however and didn't want to convert it to a string and use rex, would that be possible?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 09:34 PM

@oKeNiDJE 

That you need to POC and check 😅.  Coz, Splunk ingest characters / text format and if you ingest Json object then Splunk might be ingest represented value of that object and that might be invalid data for as. 

Splunk need valid json string for auto discovery of fields.

So here I suggest keep it in converted string format and use rex for our requirements . 😊

 

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

oKeNiDJE
Engager
‎07-22-2021 08:40 AM

Thanks @kamlesh_vaghela . That would work yes,  however, I need the search query to be dynamic because I don't know the keys ahead of time. 

Any idea on how to do this?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 09:06 AM

@oKeNiDJE 

I have updated my answer. Can you please check it?

KV

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-22-2021 06:49 AM

@oKeNiDJE 

Can you please try this?

 

 

YOUR_SEARCH 
| rex field=_raw "\"(?<animal>\w+)\":\s\[(?<arr>[^\]]*])" max_match=0
| eval t=mvzip(animal,arr,"|")
|stats count by t
| eval animal=mvindex(split(t,"|"),0),arr="[".mvindex(split(t,"|"),1) |fields - t, count
| rex field=arr "\"id\":\s(?<ids>\d)" max_match=0|eval count=mvcount(ids) 
| table animal count

 

 

 

My Sample Search :

 

 

| makeresults | eval _raw="{\"data\": {\"animals\": {\"dog\": [{\"name\": \"rex\", \"id\": 1}, {\"name\": \"tom\", \"id\": 2}],\"cat\": [{\"name\": \"rex\", \"id\": 3}, {\"name\": \"tom\", \"id\": 4}, {\"name\": \"sam\", \"id\": 5}],\"chicken\": [{\"name\": \"rex\", \"id\": 6}]}}}" 
| rex field=_raw "\"(?<animal>\w+)\":\s\[(?<arr>[^\]]*])" max_match=0
| eval t=mvzip(animal,arr,"|")
|stats count by t
| eval animal=mvindex(split(t,"|"),0),arr="[".mvindex(split(t,"|"),1) |fields - t, count
| rex field=arr "\"id\":\s(?<ids>\d)" max_match=0|eval count=mvcount(ids) 
| table animal count

 

 

 

 

Thanks
KV
▄︻̷̿┻̿═━一   ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
 

Preview file
93 KB
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...