What is a good way to Splunk log lines like the fo...

dtakacssplunk · ‎09-14-2018

Lets say I have a log line that contains of a JSON field with this content:

{
    "breakdown": {
        "a": [
            {
                "t1": 100,
                "t2": 0
            },
            {
                "t1": 0,
                "t2": 0
            }
        ],
        "b": [
            {
                "t1": 1,
                "t2": 0
            },
            {
                "t1": 1,
                "t2": 0
            }
        ],
        "c": [
            {
                "t1": 1,
                "t2": 2
            }
        ],
        "d": [
            {
                "t1": 5,
                "t2": 1
            }
        ]
    }
}

I want to Splunk this and convert the results into something like this:

component count p50_t1 p50_t2 min_t1 max_t1 min_t2 max_t2
a 2 50 0 0 100 0 0
b 2 1 0 0 1 0 0
c 1 1 2 1 1 2 2
d 1 5 1 5 5 1 1

What's the Splunk query to do such transformation?

What is a good way to Splunk log lines like the following with JSON?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!