About darrfang

darrfang

Thank you so much! this also works on my cases, sorry the system only allows me to accept one solution for now but this solution works perfectly on what I would like to achieve 🙏

darrfang

thanks! this is the trick that works for my case!

darrfang

Hey Splunk team, I have a data similar to this: | makeresults | eval data="ABC,10,15;DEF,12,13;GHI,11,14" | makemv delim=";" data | mvexpand data | eval label=mvindex(split(data,","),0) | eval duration1=tonumber(mvindex(split(data,","),1)) | eval duration2=tonumber(mvindex(split(data,","),2)) | eval duration_diff=abs(duration1 - duration2) | table label duration1 duration2 duration_diff which I wanted to highlight the color in red, if value of abs(duration1 - duration2) is >2, making the column red. In the example above, column 10, 15 & 11, 14 should be red. I tried to do something like this but not able to get it work, could you help me how to do that, thank you! <format type="color" field="duration2"> <colorPalette type="expression">if ($row.duration_diff$ > 2 ,"#DC4E41", null())</colorPalette> </format>

darrfang · ‎02-11-2025

Hi @livehybrid this works like magic! thanks a lot for giving me the insights! Just wondering what's the reason at here that you did mvexpand twice just did some test seems that if I remove `| mvexpand data_value` I can still get the same results / format

darrfang · ‎02-11-2025

Hi splunk team, I have a question about how to extract the key-value pair from json data. Let's say for example I have two raw data like this: # raw data1: { "key1": { "key2": { "key3": [ {"data_value": {"aaa": "12345", "bbb": "23456"}} ] } } } # raw data 2: { "key1": { "key2": { "key3": [ {"data_value": {"ccc": "34567"}} ] } } } how can I extract the key-value results in all the data_value, to be a table as: node value aaa 12345 bbb 23456 ccc 34567 I current have a splunk query that could do part of it: ```some search...``` | spath output=pairs path=key1.key2.key3{}.data_value | rex field=hwids "\"(?<node>[^\"]+)\":\"(?<value>[^\"]+)\"" | table node value pairs but this only gives me the result of all the first data, result would look like below, that ignore the data of "bbb":"23456". Please give me some advice on how to grab all the results, thanks! node value pairs aaa 12345 {"aaa": "12345", "bbb": "23456"} ccc 34567 {"ccc": "34567"}

darrfang · ‎07-10-2024

Hi everyone, I have a json data payload as below: { location: US all_results: { serial_a: { result: PASS, version: 123, data:[ data1, data2, data3 ] }, serial_b: { result: PASS, version: 456, data:[ data4, data5 ] }, serial_c: { result: FAIL, version: 789, data:[ data6, data7 ] } } } and I would like to use splunk query and make a table as: serial_number result version data serial_a PASS 123 data1, data2, data3 serial_b PASS 456 data4, data5, serial_c fail 789 data6, data7 how to use splunk query to organize the result? I know I'm able to grab the data by: | spath path=all_results output=all_results | eval all_results=json_extract(all_results) The difficult part is at the serial_number. They have some common prefix serial, but it's dynamic. Therefore , when I try to grab the data inside serial_number, for example version, I'm not able to use query like: | spath output=version path=all_result.serial*.version Could you give me some idea to do that? thank you!

Posts	6
Solutions	0
Karma Given	5
Karma Received	0
Member Since	‎07-10-2024

Online Status	Offline
Date Last Visited	2 weeks ago

How to color the column based on the value of anot...

extract all the key-value pairs from the json data

Grab json value with dynamic key from splunk

Re: How to color the column based on the value of ...

Re: How to color the column based on the value of ...

How to color the column based on the value of anot...

Re: extract all the key-value pairs from the json ...

extract all the key-value pairs from the json data

Grab json value with dynamic key from splunk

Join the Conversation