Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a chart that shows the JSON count by...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_novice
New Member
06-22-2018
05:39 PM
Each line of my log has the following json construct
{ resourceUsage: [
{
cloud: AWS
count: 34
resource: EC2_INSTANCE
}
{
cloud: AWS
count: 3
resource: NAT_GATEWAY
}
]
}
I want create a time chart that shows sum (resourceUsage.count) by resourceUsage.resource eg. EC2_INSTANCE = 51, NAT_GATEWAY=25
My query which doesn't work looks like this timechart span=1d sum(resourceUsage{}.count) by resourceUsage{}.resource
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-23-2018
01:10 AM
Hi @splunk_novice,
Hope this helps.
| makeresults |eval json="{
\"resourceUsage\": [
{
\"cloud\": \"AWS\",
\"count\": 34,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 3,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 10,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 22,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 7,
\"resource\": \"EC2_INSTANCE\"
}
]
}"
| spath input=json|fields - json|rename resourceUsage{}.resource as resource,resourceUsage{}.count as count
|eval zip=mvzip(resource,count)
|fields _time,zip| mvexpand zip|eval splitted=split(zip,",")|eval resource=mvindex(splitted,0)|eval count=mvindex(splitted,1)
|table _time resource,count|timechart sum(count) by resource
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
06-23-2018
01:27 AM
<your index> | rex field=_raw "count:(?<count>.*)" max_match=0 | rex field=_raw "resource:(?<resource>.*)" max_match=0| eval count=trim(count)|eval resource=trim(resource) |eval fields = mvzip(count,resource)
| mvexpand fields
| rex field=fields "(?<count>\w+),(?<resource>\w+)"
|timechart values(count) by resource
Try this if you are not sure about your json field, ideally @renjith.nair 's solution and spath is the correct way to go about this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-23-2018
01:10 AM
Hi @splunk_novice,
Hope this helps.
| makeresults |eval json="{
\"resourceUsage\": [
{
\"cloud\": \"AWS\",
\"count\": 34,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 3,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 10,
\"resource\": \"EC2_INSTANCE\"
},
{
\"cloud\": \"AWS\",
\"count\": 22,
\"resource\": \"NAT_GATEWAY\"
},
{
\"cloud\": \"AWS\",
\"count\": 7,
\"resource\": \"EC2_INSTANCE\"
}
]
}"
| spath input=json|fields - json|rename resourceUsage{}.resource as resource,resourceUsage{}.count as count
|eval zip=mvzip(resource,count)
|fields _time,zip| mvexpand zip|eval splitted=split(zip,",")|eval resource=mvindex(splitted,0)|eval count=mvindex(splitted,1)
|table _time resource,count|timechart sum(count) by resource
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_novice
New Member
06-23-2018
11:55 AM
Thanks renjith, worked like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
06-23-2018
12:53 AM
Hi, have you tried spath - http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Spath
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
