Splunk Search

how to extract extract wildcard key name in nested json

crazymonkey
Observer

Sample JSON

 

 

{ 
   message: { 
     application: hello
     deploy: { 
       X: { 
         A: { 
           QPY: 14814
         }
       }
       Y: { 
         A: { 
           BWQ: 10967
           MQP: 1106
         }
       }
     }
     ABC: 4020
     DEF: 1532
   }
   severity: info
}

 

 


I'm trying to extract key names and values under message.deploy.Y.A (key names are not static)
Goal is to put them in a line chart and track values over time.

tried foreach but don't know how to use eval. Can someone help please

 

 

| foreach message.deploy.Y.A.*

 

 

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Does this work?

| rename message.deploy.Y.A.* as XX_*
| fields _time XX_*
| timechart fixedrange=f max(XX_*) as *

i.e. it takes all the Y.A fields and renames them to XX_* and gets rid of all other fields other than those and time. Then plots max value over time of the XX_ values.

 

crazymonkey2
Engager

thank you, that works but don't wan't max for the day.
If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

 

| rename message.deploy.Y.A.* as xx_*
| table _time xx_*

 

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Just add 

| rename xx_* as *

which is basically what the timechart max(XX_*) as *, i.e. the implicit rename

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

Have you tried

| rename message.deploy.Y.A.* as *
| table _time *

 

0 Karma

crazymonkey2
Engager

I tried that, table shows contents of nested json that don't match 

message.deploy.Y.A

 

0 Karma

crazymonkey2
Engager

I figured it out

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...