I've got an interesting JSON:
{"timeStamp":"2017-01-26 23:59","name":"myVM1","counter":"mem.usage.average","description":"Memory usage as percentage of total configured or available memory","unit":"%","values":{"2017-01-26 10:00":"8.99","2017-01-26 09:55":"19.39","2017-01-26 09:50":"7.99"}}
{"timeStamp":"2017-01-26 23:59","name":"myVM2","counter":"mem.usage.average","description":"Memory usage as percentage of total configured or available memory","unit":"%","values":{"2017-01-26 10:00":"33.11","2017-01-26 09:55":"42.12","2017-01-26 09:50":"23.32"}}
The key is the timestamps. Can someone please provide the syntax to chart the two so I can compare memory usage? Thanks!
Assuming fields are all extracted, try like this
your base search | table name values* | untable name timestamp value | eval _time=strptime(timestamp,"values.%Y-%m-%d %H:%M") | timechart avg(value) by name
Assuming fields are all extracted, try like this
your base search | table name values* | untable name timestamp value | eval _time=strptime(timestamp,"values.%Y-%m-%d %H:%M") | timechart avg(value) by name
thank you! Exactly what I needed!
I've tried to replicate your question in my lab and I came up with the following. Let me know if it helps:
| makeresults
| fields - _time
| eval raw = "
{\"timeStamp\":\"2017-01-26 23:59\",\"name\":\"myVM1\",\"counter\":\"mem.usage.average\",\"description\":\"Memory usage as percentage of total configured or available memory\",\"unit\":\"%\",\"values\":{\"2017-01-26 10:00\":\"8.99\",\"2017-01-26 09:55\":\"19.39\",\"2017-01-26 09:50\":\"7.99\"}}
;
{\"timeStamp\":\"2017-01-26 23:59\",\"name\":\"myVM2\",\"counter\":\"mem.usage.average\",\"description\":\"Memory usage as percentage of total configured or available memory\",\"unit\":\"%\",\"values\":{\"2017-01-26 10:00\":\"33.11\",\"2017-01-26 09:55\":\"42.12\",\"2017-01-26 09:50\":\"23.32\"}}
"
| eval raw = split(raw, ";")
| mvexpand raw
| spath input=raw path=name output=name
| spath input=raw path=values output=timevalues
| rex field=timevalues max_match=0 "(?<pairs>\"\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\"\:\"[\d\.]+\")"
| mvexpand pairs
| rex field=pairs "\"(?<time>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2})\"\:\"(?<value>[\d\.]+)\""
| eval _time = strptime(time, "%Y-%m-%d %H:%M")
| timechart span=5m first(value) as value by name
Output: see pictures below
Sorry, forgot to add that Splunk is already correctly parsing these events as JSON
Compare usage of both VMs at a give instance? The values contains multiple recording of memory usage, so you want to plot all of 3?
yes please, all three in a chart