Re: how to extract extract wildcard key name in ne...

crazymonkey · ‎11-02-2021

Sample JSON

{ 
   message: { 
     application: hello
     deploy: { 
       X: { 
         A: { 
           QPY: 14814
         }
       }
       Y: { 
         A: { 
           BWQ: 10967
           MQP: 1106
         }
       }
     }
     ABC: 4020
     DEF: 1532
   }
   severity: info
}

I'm trying to extract key names and values under message.deploy.Y.A (key names are not static)
Goal is to put them in a line chart and track values over time.

tried foreach but don't know how to use eval. Can someone help please

| foreach message.deploy.Y.A.*

bowesmana · ‎11-02-2021

Does this work?

| rename message.deploy.Y.A.* as XX_*
| fields _time XX_*
| timechart fixedrange=f max(XX_*) as *

i.e. it takes all the Y.A fields and renames them to XX_* and gets rid of all other fields other than those and time. Then plots max value over time of the XX_ values.

crazymonkey2 · ‎11-19-2021

thank you, that works but don't wan't max for the day.
If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

| rename message.deploy.Y.A.* as xx_*
| table _time xx_*

bowesmana · ‎11-21-2021

Just add

| rename xx_* as *

which is basically what the timechart max(XX_*) as *, i.e. the implicit rename

yuanliu · ‎11-20-2021

If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

Have you tried

| rename message.deploy.Y.A.* as *
| table _time *

crazymonkey2 · ‎11-23-2021

I tried that, table shows contents of nested json that don't match

message.deploy.Y.A

crazymonkey2 · ‎11-24-2021

I figured it out

how to extract extract wildcard key name in nested json

field extraction

subsearch

timechart

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Are you a member of the Splunk Community?