Solved: Creating dashboard with 4 columns

shenoyveer · ‎09-12-2024

Hi Team,

I am sending json data to Splunk server and I want to create a dashboard out of it.

My data is in the below format and I need help in creating the dashboard out of it.

example:

{"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.

my dashboard should look like,

repos	count	active	count
new-repo	2	yes	17
new-repo-2	30	no	10
new-one-3	15	yes	0
old-repo	10	yes	23
my-repo	10	no	15

I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard.

can someone help?

Thanks,

Veeresh Shenoy

shenoyveer · ‎09-16-2024

I got the query that we need to use dedup

thanks anyway.

View solution in original post

shenoyveer · ‎09-13-2024

Thank you soo much @ITWhisperer

this worked for me 🙂

ITWhisperer · ‎09-13-2024

Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract the fields. Note that you can't have two columns / fields with the same name as you have shown

| spath value{} output=value
| mvexpand value
| rex field=value "(?<repos>[^:]+):\s*(?<count>\d+):\s*(?<active>\w+):\s*(?<othercount>\d+)"
| table repos count active othercount

shenoyveer · ‎09-16-2024

This query worked but I have found one issue that its taking duplicate values in dashboard if we run it again

is there any way that we can avoid old value if we run multiple times in lesser time?

shenoyveer · ‎09-16-2024

I got the query that we need to use dedup

thanks anyway.

Creating dashboard with 4 columns

field extraction

rex

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services