Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

_json query problem

spisiakmi
Communicator
‎08-19-2021 05:58 AM

Hi, can anybody help me please?

I have _json indexed events in Splunk.

19.08.21 08:26:27,746

{ [-]
   nameS8.ManuelFail
   valuefalse
}

19.08.21 08:26:25,746

{ [-]
   nameS8.Pruefprogramm_PG
   valueS3_450
}

19.08.21 08:26:27,746

{ [-]
   nameS8.ManuelFail
   valuetrue
}

19.08.21 08:27:25,746

{ [-]
   nameS8.Pruefprogramm_PG
   valueS3_450
}

19.08.21 08:28:25,746

{ [-]
   nameS8.Pruefprogramm_PG
   valueS3_600
}

19.08.21 08:29:25,746

{ [-]
   nameS8.Pruefprogramm_PG
   valueS3_600
}

In the dashboard I choose specific time interval with the time pick up element. E.g. last 24 hours. I would like to have % number for each name: S8.Pruefprogramm_PG and its value, where name: S8.ManuelFail has value: true. It means % all name: S8.ManuelFail
value: true against all name: S8.ManuelFail
value: true/false. It is even possible? E.g. in this case I would like to have a table output:

S8.Pruefprogramm_PG S8.ManuelFail [%]

S3_450 50

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-19-2021 09:35 PM

@spisiakmi  Can you share the original _raw json? switch to raw mode in search UI.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...