how to extract extract wildcard key name in nested...

crazymonkey · ‎11-02-2021

Sample JSON

{ 
   message: { 
     application: hello
     deploy: { 
       X: { 
         A: { 
           QPY: 14814
         }
       }
       Y: { 
         A: { 
           BWQ: 10967
           MQP: 1106
         }
       }
     }
     ABC: 4020
     DEF: 1532
   }
   severity: info
}

I'm trying to extract key names and values under message.deploy.Y.A (key names are not static)
Goal is to put them in a line chart and track values over time.

tried foreach but don't know how to use eval. Can someone help please

| foreach message.deploy.Y.A.*

bowesmana · ‎11-02-2021

Does this work?

| rename message.deploy.Y.A.* as XX_*
| fields _time XX_*
| timechart fixedrange=f max(XX_*) as *

i.e. it takes all the Y.A fields and renames them to XX_* and gets rid of all other fields other than those and time. Then plots max value over time of the XX_ values.

crazymonkey2 · ‎11-19-2021

thank you, that works but don't wan't max for the day.
If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

| rename message.deploy.Y.A.* as xx_*
| table _time xx_*

bowesmana · ‎11-21-2021

Just add

| rename xx_* as *

which is basically what the timechart max(XX_*) as *, i.e. the implicit rename

yuanliu · ‎11-20-2021

If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

Have you tried

| rename message.deploy.Y.A.* as *
| table _time *

crazymonkey2 · ‎11-23-2021

I tried that, table shows contents of nested json that don't match

message.deploy.Y.A

crazymonkey2 · ‎11-24-2021

I figured it out

how to extract extract wildcard key name in nested json

field extraction

subsearch

timechart

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Are you a member of the Splunk Community?