Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract the data from json to a table show

brightgong
New Member
‎04-22-2021 02:50 AM

i'm trying to extract data from json and show into my dashboard but failed

 

 

{
  "timestamp":"2021-04-22T09:14:38.727Z",
  "message":"Metrics: key1=false, [SystemMetricsBean] key2=key2val, [MetricAttributes] sumCountViaMetricsAnnotation=2, failureCount=0, sumDuration=46, minDuration=22, maxDuration=24, sumCountViaCacheAnnotation=2, numWithoutCache=2, numDisableCache=2",
  "version":"1.1.0"
}

 

 

i'd like to  extract failureCount and other statistic data then display in my dashboard

 

here is my search but not work:

 

 

base search 
| spath path=message,output=metrics
| stats count(sumDuration) as duration, count(failureCount) as fail

 

 

 

can u help to guide me? also i try other cmd like extract, eval, rex but also not got the result

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2021 03:28 AM

You are almost there - after the spath, copy the message field to _raw and run extract. The stats might be better as sums rather than counts, but it depends what it is that you are trying to get

| makeresults 
| eval _raw="{
  \"timestamp\":\"2021-04-22T09:14:38.727Z\",
  \"message\":\"Metrics: key1=false, [SystemMetricsBean] key2=key2val, [MetricAttributes] sumCountViaMetricsAnnotation=2, failureCount=0, sumDuration=46, minDuration=22, maxDuration=24, sumCountViaCacheAnnotation=2, numWithoutCache=2, numDisableCache=2\",
  \"version\":\"1.1.0\"
}"


| spath path=message,output=metrics
| eval _raw=metrics
| extract 
| stats sum(sumDuration) as duration, sum(failureCount) as fail
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...