Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping JSON data and creating dynamic chart

MemoreX42
Explorer
‎05-05-2015 08:00 AM

Hi experts,

I am trying to create a dashboard from my data, which is logged in JSON format. However, I am stuck with getting sub-elements from the JSON as lines in my chart.

Here is a sample log:

{ [-] 
    DataThroughput: { [-] 
      Updates per second:  576.0666666666667 
      Incoming Requests per second:  388.7 
      Processed Requests per second:  382.35 
   } 
    DeploymentId:  c84e3e1fe4f74408876bea1a9f6c60e1 
    LogLevel:  Info 
    LogTime:  2015-05-05T14:51:37.5168234+00:00 
}

I get one of these every minute into splunk. My ultimate goal is to have a timechart over the data throughput of my system, i.e.:

X-Axis: The time (say over the last 1h)
Y-Axis: The average throughput per second

In this example, the timechart would have three lines (one for Updates / s, one for Incoming Requests / s and one for Processed Requests / s).

Now I know how to do this for this static case, but in my real world scenario, the number of children under the node "DataThroughput" and their names is unknown and changes frequently. Is there a clever way to extract all children of the "DataThroughput" node in the JSON data and build a line in a timechart for each of them without specifying them directly?

Thanks a lot,
Christian

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎05-05-2015 10:51 AM

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎05-05-2015 10:51 AM

So first, you want to extract all the data in the specific node - one way of doing that is by using two spath commands. You'll need to use the fields command too, in order to make sure those are the only fields that we dealing with.

| spath DataThroughput
| fields DataThroughput
| spath input=DataThroughput
| timechart avg(*) as *

Now you can add span to timechart to adjust the sampling interval (e.g. timechart span=15m avg(*) as * and obviously tweak the time range to whatever you need (you had mentioned over the last hour). If you don't use the span option of timechart, it will just set your sampling interval automatically.

Reply
Solved! Jump to solution

MemoreX42
Explorer
‎05-06-2015 12:49 AM

Thanks, this works just the way I wanted it, thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...