I have a json object (see below). I need to take the value of payload.chan (15 in this case) and using 15 select payload.eavgc15, payload.emax15, and payload.emin15 and chart the values. I can't quite figure out how to extract the value of payload.chan and then append that to payload.eavgc. I've tried eval testvariable=tostring(payload.chan) | eval testvariable1=payload.eavgc+testvariable
but no luck.... Any thoughts?
cpeId: 9c97261be426
messageType: zigBeeData
payload: { [-]
apsDecryptionFailures: 0
apsFrameCounterFailures: 0
apsRxBcast: 0
apsRxUcast: 355
apsTxBcast: 0
apsTxUcastFailures: 0
apsTxUcastRetries: 0
apsTxUcastSuccesses: 279
bufferAllocationFailures: 0
chan: 15
eavgc11: -56
eavgc12: -45
eavgc13: -42
eavgc14: -52
eavgc15: -66
eavgc16: -40
emaxc11: -56
emaxc12: -45
emaxc13: -42
emaxc14: -49
emaxc15: -31
emaxc16: -39
emaxc17: -33
eminc11: -56
eminc12: -45
eminc13: -42
eminc14: -52
eminc15: -72
eminc16: -41
Hi dbcase,
This is a tricky one, but I was able to get it working in a dashboard at least (Strange it's not working in Search though....)
Take a look at this dash board:
<form>
<label>rex based on drop down</label>
<fieldset submitButton="false">
<input type="dropdown" token="token">
<label>Select chan:</label>
<search>
<query>index=* source="Untitled.txt" host="indexer" sourcetype="mytest" | dedup chan | table chan</query>
<earliest>0</earliest>
<latest></latest>
</search>
<fieldForLabel>chan</fieldForLabel>
<fieldForValue>chan</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>source="Untitled.txt" host="indexer" sourcetype="mytest" | fields chan e* | table * | rex max_match=0 "(?<myField>\w+c"$token$"):\s+(?<myValue>[^\s]+)" | fields - _raw | where chan=$token$ | table chan my* | eval zipped = mvzip(myField, myValue, "###") | mvexpand zipped | eval mv1 = replace(zipped, "###.*$", "") | eval mv2 = replace(zipped, "^.*###", "" ) | fields - zipped | eval {mv1}=mv2 | fields chan e* | stats max(*) AS *</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
This will get all chan
values into a drop down and gets back the evagc*
, emaxc*
and eminc*
values based on the value of chan
.
If you have more questions let me know and we can look at this offline 😉
Hope this helps ...
cheers, MuS
PS: here are my test events based on your provided examples:
cpeId: 9c97261be426
messageType: zigBeeData
payload: { [-]
apsDecryptionFailures: 0
apsFrameCounterFailures: 0
apsRxBcast: 0
apsRxUcast: 355
apsTxBcast: 0
apsTxUcastFailures: 0
apsTxUcastRetries: 0
apsTxUcastSuccesses: 279
bufferAllocationFailures: 0
chan: 13
eavgc11: -56
eavgc12: -45
eavgc13: -42
eavgc14: -52
eavgc15: -66
eavgc16: -40
emaxc11: -56
emaxc12: -45
emaxc13: -42
emaxc14: -49
emaxc15: -31
emaxc16: -39
emaxc17: -33
eminc11: -56
eminc12: -45
eminc13: -42
eminc14: -52
eminc15: -72
eminc16: -41
cpeId: 9c97261be426
messageType: zigBeeData
payload: { [-]
apsDecryptionFailures: 0
apsFrameCounterFailures: 0
apsRxBcast: 0
apsRxUcast: 355
apsTxBcast: 0
apsTxUcastFailures: 0
apsTxUcastRetries: 0
apsTxUcastSuccesses: 279
bufferAllocationFailures: 0
chan: 14
eavgc11: -56
eavgc12: -45
eavgc13: -42
eavgc14: -52
eavgc15: -66
eavgc16: -40
emaxc11: -56
emaxc12: -45
emaxc13: -42
emaxc14: -49
emaxc15: -31
emaxc16: -39
emaxc17: -33
eminc11: -56
eminc12: -45
eminc13: -42
eminc14: -52
eminc15: -72
eminc16: -41
cpeId: 9c97261be426
messageType: zigBeeData
payload: { [-]
apsDecryptionFailures: 0
apsFrameCounterFailures: 0
apsRxBcast: 0
apsRxUcast: 355
apsTxBcast: 0
apsTxUcastFailures: 0
apsTxUcastRetries: 0
apsTxUcastSuccesses: 279
bufferAllocationFailures: 0
chan: 15
eavgc11: -56
eavgc12: -45
eavgc13: -42
eavgc14: -52
eavgc15: -66
eavgc16: -40
emaxc11: -56
emaxc12: -45
emaxc13: -42
emaxc14: -49
emaxc15: -31
emaxc16: -39
emaxc17: -33
eminc11: -56
eminc12: -45
eminc13: -42
eminc14: -52
eminc15: -72
eminc16: -41
Thanks MuS! Your solution prompted another way to do this. Our solution is kinda kludgy but it works in search.
index="cpe_index" messageType=zigBeeData | eval zigChanMinRssi=case('payload.chan'==15, 'payload.eminc15', 'payload.chan'==19, 'payload.eminc19', 'payload.chan'==20, 'payload.eminc20', 'payload.chan'==25, 'payload.eminc25') | chart values(zigChanMinRssi) AS "MIN" OVER time BY premiseId
We need to add the other fields but this seems to get us what we are looking for. Thank you!
Yeah, that's a lot of work and all hard coded - but well done 😉
I've updated my search in the dashboard a bit to return the field names as eavgc*
, emaxc*
or eminc*
now.
cheers, MuS
Thanks ! I think you are on the right path but still unsure how to take the next step.
A bit more clarification on what I'm asking.....
In each json object there is the field payload.chan. This field will have one of 3 values currently. 11,15, 23. If the value is 15 we would like to graph the results of the payload.eavgc15, payload, payload.emaxc15 and payload.eminc15.
If the payload.chan value is 23 we would like to graph the results of the payload.eavgc23, payload, payload.emaxc23 and payload.eminc23.
and if the payload.chan value is 11 we would like to graph the results of the payload.eavgc11, payload, payload.emaxc11 and payload.eminc11.
Does that help?
Hi dbcase,
I'm not sure if I understood your question but you can use the map command to submit a result of a field to another search. You can find the documentation here: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map. You do a search where you find a result like this: sourcetype=xyz field1=filter | table filter_to_subsearch | map search "search sourcetypeabc filter="$filter_to_subsearch$""
Hope this helps.