All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create 12- month trend line from data getting from a JSON endpoint?

chiraggl
Engager
‎12-23-2019 12:19 AM

Have to create 12- month trend line and data I am getting it in JSON. Please check the enclosed screenshot, I could able to create the alt texttable.

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎12-23-2019 11:42 PM 
| makeresults count=2
| eval time=split("2018-12-02#2019-03-24","#")
| mvexpand time
| eval _time=strptime(time,"%F")
| makecontinuous span=7d _time
| eval temp="480.0,480.0,480.0,470.0,470.0,470.0,460.0,460.0,460.0,460.0,470.0,510.0,510.0,510.0,520.0,530.0,530.0"
| streamstats current=f count 
| eval y=mvindex(split(temp,","),count)
| eval x=strftime(_time,"%F")
| table y x 
| eval count = 1
| stats list(*) as * by count
| rename x as "graph_data.ratings{}.x" 
| rename y as "graph_data.ratings{}.y"
| fields - count
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "from here, the logic"
| eval _time=strptime('graph_data.ratings{}.x',"%F")
| stats list(*) as * by _time
| streamstats current=f count
| eval rating=mvindex('graph_data.ratings{}.y',count)
| table _time rating
| rename COMMENT as "viz > Line Chart"

Hi, @chiraggl
I chose not to use mvexpand.

0 Karma
Reply

aberkow
Builder
‎12-23-2019 08:12 AM

Something like this should work for you, but you might need to play around with it a little to get the exact form you want (I didn't know if you had an _time field from these logs and if it correlated with the date stamp you had).

| baseSearch
| eval zip=mvzip('graph_data.ratings{}.y', 'graph_data.ratings{}x')
| mvexpand zip
| eval zip=split(zip, ",")
| eval ratings=mvindex(zip,0)
| eval time=mvindex(zip,1)
| eval _time=strptime(time, "%Y-%m-%d")
| timechart values(ratings) span=w

Essentially, zip each value pair together, expand them into their own rows, index out the values, create a _time field if it doesn't exist, then plug that into a timechart command. Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...