Splunk Search

How to select just JSON properties and display it on a chart?

gcescatto
New Member

How can I select the JSON properties and display them on a bar chart? Not their value, but their name. I need to build a bar chart similar to this one above, where the X axis is the different NAMES of JSON properties, the Y axis is the COUNT of each JSON propertie's values (there are three options: true, false and missing) and the colors must be the JSON properties values.

alt text

The json I have is:
JsonData="{
"Uniformance_Oracle_Access":"True"
"FACTS_Access":"True"
"Oracle_GG":"False"}"

So far I was just able to display the values in the colors and do a Y-axis correctly, but the X-axis has been a real problem.

Tags (2)
0 Karma
1 Solution

niketn
Legend

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

What is missing criteria? What would corresponding event look like?

Sorry I could not find a neat way to do this. Hopefully other would be able to assist however, you can count True and False per series and then append the results for each series i.e. Uniformance_Oracle_Access, FACTS_Access, Oracle_GG

<YourBaseSearch>
| table Uniformance_Oracle_Access
| chart count(eval(Uniformance_Oracle_Access=="True")) as True count(eval(Uniformance_Oracle_Access=="False")) as False
| eval Field="Uniformance_Oracle_Access"
| append [ <YourBaseSearch>
                    | table FACTS_Access
                    | chart count(eval(FACTS_Access=="True")) as True count(eval(FACTS_Access=="False")) as False
                    | eval Field="FACTS_Access"]
| append [ <YourBaseSearch>
                    | table Oracle_GG
                    | chart count(eval(Oracle_GG=="True")) as True count(eval(Oracle_GG=="False")) as False
                    | eval Field="Oracle_GG"]

Then you need to create Stacked Column Chart for these. There should be a better way to do this as I am running the same search three times for append and if the data being correlation is more append might silently drop data giving skewed results. Please see if this still works for you until someone provides a better solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcescatto
New Member

The colors that should be only "True", "False" or "Missing" are displaying "True" and "Field". I'm trying to fix this. But the table displayed seems correct. Thank you (:

0 Karma

niketn
Legend

@gcescatto, I have converted my comment to answer. Please accept to mark the question as Answered. Please let us know if further help is required!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcescatto
New Member

Could you please help me change places "Field" and "True"?
The table is correct, but the chart needs to be with "Field" at the X axis and "True" and "False" like colors. Sorry to bother, I'm new in Splunk.

0 Karma

niketn
Legend

Where do you get the value for each of the columns? It is not present in your sample JSON

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcescatto
New Member

The values are "True" and "False". It comes from PowerShell scripts that store data in the database. So, my application is a dbconnect application.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...