Hi Splunk community
My data in json format has 1 entry in Splunk that contain 1 event size and 1 event time for the same flowKey like the following:
{"_id":{"$oid":"dfkahu13fd"},"flowKey":"null,null,...", "size_of_events":[1.1121358e+08],"time_of_events":[{"$numberLong":"1548454548"}],...}
I also have 1 entry with multiple event size and event time for another flowKey which looks like the following:
{"_id":{"$oid":"dfsahu13fd"},"flowKey":"null,null,...", "size_of_events":[1.1121356e+08,1.1121357e+08,1.1121357e+08,1.1121358e+08],"time_of_events":[{"$numberLong":"1548454548"},{"$numberLong":"1548454549"},{"$numberLong":"1548454555"},{"$numberLong":"1548454559"}],...}
Pls advise how I can break the latter one into 4 events with the same flowKey. My aim is to show using a timechart with x as event time and y as event size for all entries.
Hopefully I can hack it in search. Am not good with props.conf.
Many thanks in advance.
... View more