Splunk Search

how to extract extract wildcard key name in nested json

crazymonkey
Observer

Sample JSON

 

 

{ 
   message: { 
     application: hello
     deploy: { 
       X: { 
         A: { 
           QPY: 14814
         }
       }
       Y: { 
         A: { 
           BWQ: 10967
           MQP: 1106
         }
       }
     }
     ABC: 4020
     DEF: 1532
   }
   severity: info
}

 

 


I'm trying to extract key names and values under message.deploy.Y.A (key names are not static)
Goal is to put them in a line chart and track values over time.

tried foreach but don't know how to use eval. Can someone help please

 

 

| foreach message.deploy.Y.A.*

 

 

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Does this work?

| rename message.deploy.Y.A.* as XX_*
| fields _time XX_*
| timechart fixedrange=f max(XX_*) as *

i.e. it takes all the Y.A fields and renames them to XX_* and gets rid of all other fields other than those and time. Then plots max value over time of the XX_ values.

 

crazymonkey2
Engager

thank you, that works but don't wan't max for the day.
If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

 

| rename message.deploy.Y.A.* as xx_*
| table _time xx_*

 

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Just add 

| rename xx_* as *

which is basically what the timechart max(XX_*) as *, i.e. the implicit rename

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If I do table, how to not show on chart xx_1, xx_2 and xx_3, rather show 1, 2 and 3

Have you tried

| rename message.deploy.Y.A.* as *
| table _time *

 

0 Karma

crazymonkey2
Engager

I tried that, table shows contents of nested json that don't match 

message.deploy.Y.A

 

0 Karma

crazymonkey2
Engager

I figured it out

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...