Getting Data In

How do i convert a Json Multi key value pair to multi line chart

robertlynch2020
Motivator

Hi

I have X number of "totalHitCount" in a JSON file (mtr.gauges.caching_metrics.nodes{}.totalHitCount). Within multiple node{} and i am looking to graphs each node{}totalHitCount with time on Y and nodes{}.totalHitCount values - multiple series on the Y axis.

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB | spath "mtr.gauges.caching_metrics.nodes{}.totalHitCount" | sort _time| table mtr.gauges.caching_metrics.nodes{}.totalHitCount _time

{ [-]
   h: mx12405vm
   mtr: { [-]
     counters: { [+]
     }
     gauges: { [-]
       caching_metrics: { [-]
         clientCount: 5
         locatorCount: 1
         maxMemoryMB: 10240
         memberCount: 4
         nodes: [ [-]
           { [-]
             bytesReceivedPerSecond: 0
             bytesSentPerSecond: 0
             cpuUsage: 0.21666667
             gcCount: 96
             gcTimeMilliseconds: 884
             getsPerSecond: 0
             locator: true
             lruEvictionsPerSecond: 0
             maxMemoryMB: 2048
             nodeName: positions-gf-locator-v1-1
             putsPerSecond: 0
             readsPerSecond: 0
             server: false
             totalHitCount: 0
             totalMissCount: 0
             totalRegionCount: 0
             totalRegionEntryCount: 0
             usedMemoryMB: 205
             writesPerSecond: 0
           }
           { [-]
             bytesReceivedPerSecond: 0
             bytesSentPerSecond: 0
             cpuUsage: 0.81666666
             gcCount: 196
             gcTimeMilliseconds: 1337
             getsPerSecond: 0
             locator: false
             lruEvictionsPerSecond: 0
             maxMemoryMB: 2048
             nodeName: positions-gf-cacheserver-v1-1
             putsPerSecond: 0
             readsPerSecond: 0
             server: true
             totalHitCount: 1751992
             totalMissCount: 114
             totalRegionCount: 17
             totalRegionEntryCount: 120
             usedMemoryMB: 254
             writesPerSecond: 0
           }

etc...

alt text

Any help would be super thanks.
I did look at this
https://answers.splunk.com/answers/302236/how-to-take-multiple-key-value-pairs-and-draw-a-li.html

But the number of nodes could be dynamic, so not sure what to do.

Rob

0 Karma
1 Solution

robertlynch2020
Motivator

hi

i got it

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB
| spath "mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount"
| rename mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount AS totalRegionEntryCount
| rename mtr.gauges.caching_metrics.nodes{}.nodeName AS nodeName
| eval x=mvzip(nodeName,totalRegionEntryCount)
| mvexpand x
| eval x = split(x,",")
| eval totalRegionEntryCount=mvindex(x,0)
| eval nodeName=mvindex(x,1) | table _time totalRegionEntryCount nodeName | timechart bins=1000 max(nodeName) by totalRegionEntryCount

View solution in original post

0 Karma

robertlynch2020
Motivator

hi

i got it

index=amber_live_* sourcetype=AMBER_METRIC usedMemoryMB
| spath "mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount"
| rename mtr.gauges.caching_metrics.nodes{}.totalRegionEntryCount AS totalRegionEntryCount
| rename mtr.gauges.caching_metrics.nodes{}.nodeName AS nodeName
| eval x=mvzip(nodeName,totalRegionEntryCount)
| mvexpand x
| eval x = split(x,",")
| eval totalRegionEntryCount=mvindex(x,0)
| eval nodeName=mvindex(x,1) | table _time totalRegionEntryCount nodeName | timechart bins=1000 max(nodeName) by totalRegionEntryCount

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...