Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About incognito
incognito
Explorer
Member since:
12-15-2021
04-26-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 12-15-2021 |
Activity Feed
- Posted How to Bind 2 events? on Splunk Search. 04-26-2022 03:21 AM
- Karma Re: How to parse JSON arrays together? for ITWhisperer. 02-25-2022 07:46 AM
- Posted How to parse JSON arrays together? on Splunk Search. 02-24-2022 08:10 AM
- Posted Re: JSON parsing problem on Splunk Search. 12-31-2021 03:34 AM
- Karma Re: JSON parsing problem for isoutamo. 12-30-2021 03:14 AM
- Posted Re: JSON parsing problem on Splunk Search. 12-30-2021 03:10 AM
- Posted Re: JSON parsing problem on Splunk Search. 12-30-2021 02:40 AM
- Posted JSON parsing problem on Splunk Search. 12-28-2021 09:06 AM
- Tagged JSON parsing problem on Splunk Search. 12-28-2021 09:06 AM
- Karma Re: Center _time on a column chart for ITWhisperer. 12-16-2021 12:47 AM
- Posted Center _time on a column chart on Splunk Search. 12-15-2021 05:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-26-2022
03:21 AM
Hello,
I have the following 2 events :
1st event :
{ [-]
dimensionMap: { [-]
User type: Real users
dt.entity.application_method.name: Application
}
dimensions: [ [-]
APPLICATION_METHOD
]
timestamps: [ [-]
1650966840000
1650966900000
1650966960000
1650967020000
1650967080000
1650967140000
1650967200000
1650967260000
1650967320000
1650967380000
1650967440000
]
values: [ [-]
0.47
0.67
0.37
0.45
0.44
0.57
0.48
0.47
0.69
0.70
0.40
]
}
2nd event :
{ [-]
dimensionMap: { [-]
dt.entity.application_method.name: Application
}
dimensions: [ [-]
APPLICATION_METHOD
]
timestamps: [ [-]
1650966840000
1650966900000
1650966960000
1650967020000
1650967080000
1650967140000
1650967200000
1650967260000
1650967320000
1650967380000
1650967440000
]
values: [ [-]
18
27
23
19
17
21
24
30
13
10
5
]
}
I would like to bind each value of the 1st event to each value of the 2nd event. I tried some join commands using the timestamps as a common value, but it didn't work.
At the end, I would like the following table (result = value1*value2) :
Timestamp Value1 Value2 Result
1650966840000 0.47 18 0.47*18 1650966900000 0.67 27 0.67*27 1650966960000 0.37 23 0.37*23 1650967020000 0.45 19 0.45*19 1650967080000 0.44 17 0.44*17 1650967140000 0.57 21 0.57*21 1650967200000 0.48 24 0.48*24 1650967260000 0.47 30 0.47*30 1650967320000 0.69 13 0.69*13 1650967380000 0.70 10 0.70*10 1650967440000 0.40 5 0.40*5
Thank you.
Regards,
... View more
Labels
- Labels:
-
field extraction
-
join
-
transaction
02-24-2022
08:10 AM
Hello,
I have the next following event :
{ [-] dimensionMap: { [+] } dimensions: [ [+] ] timestamps: [ [-] 1645718340000 1645718400000 1645718460000 1645718520000 1645718580000 1645718640000 1645718700000 1645718760000 1645718820000 1645718880000 1645718940000 ] values: [ [-] 0.54 0.63 0.37 0.56 0.47 0.45 0.65 0.64 1 null null ] }
I would like to link each timestamp to its corresponding value.
For instance, following this example, it could look like this as a table :
Timestamp Value
1645716780000 0.42 1645716840000 0.79 1645716900000 0.53 1645716960000 0.63 1645717020000 0.59 1645717080000 0.5 1645717140000 0.57 1645717200000 0.59 1645717260000 null 1645717380000 null
Thank you.
Regards,
... View more
12-31-2021
03:34 AM
Hello, index="supervision_software" source="API" earliest=-1m
| spath path=hosts{}.modules{}.instances{}.moduleVersion output=moduleVersion2
| stats count by moduleVersion2 Displays : This one is correct (total = 1290 moduleversions). The problem here is that I don't have anymore my 'hostInfo' fields and so I can't sort the moduleversions by host. index="supervision_software" source="API" earliest=-1m
| spath
| stats count(hosts{}.modules{}.instances{}.moduleVersion) Displays : 1345 isn't right (there are around 1270 - 1295 moduleVersion, it depends on when the API call is done). With this search, even if I try to table displayName, moduleversion and instanceName, it seems like they are not linked at all (but they are in the JSON) because the results are nonsense (e.g. a host has at least 50 moduleversion but it display only 1 for that host, it's like there is no relationships). Best regards,
... View more
12-30-2021
03:10 AM
I deleted the "KV_MODE" param. I have now those : Although, splunk parses it, I have nonsense results. For example, with the following search I count the number of 'moduleVersion' : index="supervision_software" source="API" earliest=-1m | stats count(hosts{}.modules{}.instances{}.moduleVersion) And then with this one, I count the number of 'moduleVersion' by moduleVersion : index="supervision_software" source="API" earliest=-1m | stats count(hosts{}.modules{}.instances{}.moduleVersion) by hosts{}.modules{}.instances{}.moduleVersion I don't understand how splunk parses the JSON ...
... View more
12-30-2021
02:40 AM
Hi, You're right, I missed commas during the copy. The sample is fixed now. I believe the JSON answer is correct (syntactically) but I'm still getting those 2 different count numbers when parsing it manually with 'spath'. I tried to let SPLUNK parse it automatically by configuring the sourcetype with those parameters : Splunk parses it, but incorrectly (e.g. by doing 'stats count()' on some fields, the results are incorrect). I was thinking that I might have to adjust the "LINE_BREAKER" or "SHOULD_LINEMERGE" sourcetype parameters because of the complex JSON answer. Do you have any ideas on how to adjust those params for my case ? Thank you. Best regards,
... View more
12-28-2021
09:06 AM
Hello, My Splunk query an API and gets a JSON answer. Here is a sample for 1 Host (the JSON answer is very long ≈ 400 hosts) : { "hosts": [ { "hostInfo": { "displayName": "host1.fr" }, "modules": [ { "moduleType": "JAVA", "instances": [ { "Instance Name": "Test1", "moduleVersion": "1.0" }, { "Instance Name": "Test2", "moduleVersion": "1.1" }, { "Instance Name": "Test3", "moduleVersion": "1.2" } ] } ] } ] } First-of-all I have to manually parse this JSON because SPLUNK automatically gets the 1st fields of the 1st host only. With this following search, I manually parse this JSON all the way through the "instances{}" array and I count the number of moduleVersion : index="supervision_software" source="API" earliest=-1m | spath path=hosts{}.modules{}.instances{} output=host | fields - _raw | mvexpand host | spath input=host | stats count(moduleVersion) It displays a number of 1277 moduleVersion and it is the right number. On the other hand with the next similar search, when I parse the JSON starting only to the 1st array ("hosts{}"), I am getting a different number of moduleVersion : index="supervision_software" source="API" earliest=-1m | spath path=hosts{} output=host | fields - _raw | mvexpand host | spath input=host | stats count(modules{}.instances{}.moduleVersion) It displays a number of 488 moduleVersion but it's incorrect. Why is there a difference ? Thank you. Best regards,
... View more
- Tags:
- json
Labels
- Labels:
-
count
-
field extraction
-
fields
12-15-2021
05:21 AM
Hello, I would like to center the dates of my timechart (column) : I'm using the timechart command in order to get a table that is then transformed in a column chart. How can I do this? Thank you. Best regards,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-26-2022
05:36 AM
|
