Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nkavouris
nkavouris
Explorer
Member since:
11-28-2023
Online
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 11-28-2023 |
Activity Feed
- Posted Extracting Data from complex JSON on Splunk Search. a week ago
- Posted How to get fields into a bar chart? on Splunk Search. 12-15-2023 07:47 AM
- Posted Re: Searching Nested JSON Data on Splunk Search. 12-13-2023 01:01 PM
- Karma Re: Searching Nested JSON Data for dtburrows3. 12-13-2023 11:30 AM
- Posted Re: Searching Nested JSON Data on Splunk Search. 12-13-2023 10:59 AM
- Karma Re: Searching Nested JSON Data for dtburrows3. 12-13-2023 10:59 AM
- Posted Searching Nested JSON Data on Splunk Search. 12-13-2023 09:30 AM
- Posted Re: Searching Nested JSON Data on Splunk Search. 11-28-2023 09:53 AM
- Karma Re: Searching Nested JSON Data for PickleRick. 11-28-2023 08:46 AM
- Posted Searching Nested JSON Data on Splunk Search. 11-28-2023 07:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
I would like to extract the results of each test within the logs array by distinct count of serial number. That is, for each serial number i want to extract the test_name and result and plot the pass/fail rates of eachindividual test. The test names are the same in each event with only a different serial_number For the raw JSON below there would be 12 tests to extract the results from. How would i go about this in search? {"serial_number": "VE7515966", "type": "Test", "result": "Pass", "logs": [{"test_name": "UGC Connect", "result": "Pass"}, {"test_name": "Disable UGC USB Comm Watchdog", "result": "Pass"}, {"test_name": "ACR Data Read", "result": "Pass", "received": "ACR model extracted as Test"}, {"test_name": "Thermocouple in Grill", "tc_1": "295", "tc_2": "578", "req_diff": 50, "result": "Pass"}, {"test_name": "Glow Plug in Grill", "m_ugc": "1849", "tol_lower": 0, "tol_upper": 10000, "cond_ugc": "0", "tol_cond": 0, "result": "Pass"}, {"test_name": "Glow Plug Power Toggle", "result": "Pass", "received": "Glow plug power toggled"}, {"test_name": "Glow Plug in Grill", "m_ugc": "2751", "tol_lower": 0, "tol_upper": 10000, "cond_ugc": "0", "tol_cond": 0, "result": "Pass"}, {"test_name": "Motor", "R_rpm_ugc": 3775.0, "R_rpm": 3950, "R_v_ugc": 984.3333333333334, "R_v": 800, "R_rpm_t": 550, "R_v_t": 500, "R_name": "AUGER 640 R", "F_rpm_ugc": 3816.6666666666665, "F_rpm": 3950, "F_v_ugc": 985.3333333333334, "F_v": 800, "F_rpm_t": 550, "F_v_t": 500, "F_name": "AUGER 640 F"}, {"test_name": "Fan", "ugc_rpm": 2117.0, "rpm": 2700, "rpm_t": 800, "ugc_v": 554.3333333333334, "v": 630, "v_t": 200, "result": "Pass"}, {"test_name": "RS 485", "result": "Pass", "received": "All devices detected", "expected": "Devices detected: ['P', 'F']"}, {"test_name": "Close UGC Port", "result": "Pass"}, {"test_name": "Confirm Grill Size", "result": "Pass", "received": "Grill confirmed as Test"}]}
... View more
Labels
- Labels:
-
chart
-
count
-
field extraction
-
stats
12-15-2023
07:47 AM
I have a search as follows: index=*| search sourcetype=*| spath logs{} output=logs| spath serial_number output=serial_number| spath result output=result| table serial_number result| ```stats dc(serial_number) as throughput|``` stats count(eval(if(result="Fail",1,null()))) as failures count(eval(if(result="Pass",1,null()))) as passes | This returns a table shown in the capture with failures=215 and passes=350 how can i get these results as two sperate bars in one bar chart? basically want to show the pass/fail rate sample of the JSON data i am working with: {"serial_number": "30913JC0024EW1482300425", "type": "Test", "result": "Pass", "logs": [ {"test_name": "UGC Connect", "result": "Pass"}, {"test_name": "Disable UGC USB Comm Watchdog", "result": "Pass"}, {"test_name": "Hardware Rev", "result": "Pass", "received": "4"}, {"test_name": "Firmware Rev", "result": "Pass", "received": "1.8.3.99", "expected": "1.8.3.99"}, {"test_name": "Set Serial Number", "result": "Pass", "received": "1 A S \n", "expected": "1 A S"}, {"test_name": "Verify serial number", "result": "Pass", "received": "JC0024EW1482300425", "expected": "JC0024EW1482300425", "reason": "Truncated full serial number: 30913JC0024EW1482300425 to JC0024EW1482300425"}, {"test_name": "Thermocouple", "pt1_ugc": "24969.0", "pt1": "25000", "pt2_ugc": "19954.333333333332", "pt2": "20000", "pt3_ugc": "14993.666666666666", "pt3": "15000", "result": "Pass", "tolerance": "1000 deci-mV"}, {"test_name": "Cold Junction", "result": "Pass", "ugc_cj": "278", "user_temp": "270", "tolerance": "+ or - 5 C"}, {"test_name": "Glow Plug Open and Short", "result": "Pass", "received": "GP Open, Short, and Load verified OK.", "expected": "GP Open, Short, and Load verified OK."}, {"test_name": "Glow Plug Power On", "result": "Pass", "received": "User validated Glow Plug Power"}, {"test_name": "Glow Plug Measure", "pt1_ugc": "848", "pt1": "2070", "pt1_tolerance": "2070", "pt2_ugc": "5201", "pt2": "5450", "pt2_tolerance": "2800", "result": "Pass"}, {"test_name": "Motor Soft Start", "result": "Pass", "received": "Motor Soft Start verified", "expected": "Motor Soft Start verified by operator"}, {"test_name": "Motor", "R_rpm_ugc": 1525.0, "R_rpm": 1475, "R_v_ugc": 160.0, "R_v": 155, "R_rpm_t": 150, "R_v_t": 160, "R_name": "AUGER 320 R", "F_rpm_ugc": 1533.3333333333333, "F_rpm": 1475, "F_v_ugc": 164.0, "F_v": 182, "F_rpm_t": 150, "F_v_t": 160, "F_name": "AUGER 320 F", "result": "Pass"}, {"test_name": "Fan", "ugc_rpm": 2436.0, "rpm": 2130, "rpm_t": 400, "ugc_v": 653.3333333333334, "v": 630, "v_t": 160, "result": "Pass"}, {"test_name": "RS 485", "result": "Pass", "received": "All devices detected", "expected": "Devices detected: ['P']"}, {"test_name": "Close UGC Port", "result": "Pass"}, {"test_name": "DFU Test", "result": "Pass", "received": "Found DFU device"}, {"test_name": "Power Cycle", "result": "Pass", "received": "User confirmed power cycle"}, {"test_name": "UGC Connect", "result": "Pass"}, {"test_name": "Close UGC Port", "result": "Pass"}, {"test_name": "USB Power", "result": "Pass", "received": "USB Power manually verified"}]}
... View more
12-13-2023
01:01 PM
Is there a way to include multiple conditions? for example: if(spath(logs, "test_name")=="Motor", 'logs', null()), if(spath(logs, "result")=="Pass", 'logs', null()) In this case only using the data from the logs where test_name="Motor" and result="pass"
... View more
12-13-2023
10:59 AM
this function works well, thank you! Using it with eval _raw allows me to easily get the data i want using SPATH. eval _raw=selective_json| spath R_rpm_ugc output=reverseRPM| table serial_number test_name selective_json reverseRPM Would you be able to explain how this function works? As a splunk novice I am unsure how the selective_json field is created?
... View more
12-13-2023
09:30 AM
Hello Splunkers, I am New to Splunk and am trying to figure out how to parse nested JSON data spit out by an end-of-line test. Here is a sample event: {"serial_number": "PLACEHOLDER1234", "type": "Test", "result": "Pass", "logs": [{"test_name": "UGC Connect", "result": "Pass"}, {"test_name": "Disable UGC USB Comm Watchdog", "result": "Pass"}, {"test_name": "Hardware Rev", "result": "Pass", "received": "4"}, {"test_name": "Firmware Rev", "result": "Pass", "received": "1.8.3.99", "expected": "1.8.3.99"}, {"test_name": "Set Serial Number", "result": "Pass", "received": "1 A S \n", "expected": "1 A S"}, {"test_name": "Verify serial number", "result": "Pass", "received": "JC0024EW1482300425", "expected": "JC0024EW1482300425", "reason": "Truncated full serial number: 30913JC0024EW1482300425 to JC0024EW1482300425"}, {"test_name": "Thermocouple", "pt1_ugc": "24969.0", "pt1": "25000", "pt2_ugc": "19954.333333333332", "pt2": "20000", "pt3_ugc": "14993.666666666666", "pt3": "15000", "result": "Pass", "tolerance": "1000 deci-mV"}, {"test_name": "Cold Junction", "result": "Pass", "ugc_cj": "278", "user_temp": "270", "tolerance": "+ or - 5 C"}, {"test_name": "Glow Plug Open and Short", "result": "Pass", "received": "GP Open, Short, and Load verified OK.", "expected": "GP Open, Short, and Load verified OK."}, {"test_name": "Glow Plug Power On", "result": "Pass", "received": "User validated Glow Plug Power"}, {"test_name": "Glow Plug Measure", "pt1_ugc": "848", "pt1": "2070", "pt1_tolerance": "2070", "pt2_ugc": "5201", "pt2": "5450", "pt2_tolerance": "2800", "result": "Pass"}, {"test_name": "Motor Soft Start", "result": "Pass", "received": "Motor Soft Start verified", "expected": "Motor Soft Start verified by operator"}, {"test_name": "Motor", "R_rpm_ugc": 1525.0, "R_rpm": 1475, "R_v_ugc": 160.0, "R_v": 155, "R_rpm_t": 150, "R_v_t": 160, "R_name": "AUGER 320 R", "F_rpm_ugc": 1533.3333333333333, "F_rpm": 1475, "F_v_ugc": 164.0, "F_v": 182, "F_rpm_t": 150, "F_v_t": 160, "F_name": "AUGER 320 F", "result": "Pass"}, {"test_name": "Fan", "ugc_rpm": 2436.0, "rpm": 2130, "rpm_t": 400, "ugc_v": 653.3333333333334, "v": 630, "v_t": 160, "result": "Pass"}, {"test_name": "RS 485", "result": "Pass", "received": "All devices detected", "expected": "Devices detected: ['P']"}, {"test_name": "Close UGC Port", "result": "Pass"}, {"test_name": "DFU Test", "result": "Pass", "received": "Found DFU device"}, {"test_name": "Power Cycle", "result": "Pass", "received": "User confirmed power cycle"}, {"test_name": "UGC Connect", "result": "Pass"}, {"test_name": "Close UGC Port", "result": "Pass"}, {"test_name": "USB Power", "result": "Pass", "received": "USB Power manually verified"}]} I want to be able to extract the test data (all key-value pairs) from each test. Ideally would like to create dashboard charts showing response from Motor and Fan tests among others. Here is a sample search i have been using which allows me to create a table with the serial number, overall test result, individual test name, and individual test result index="factory_mtp_events" | search sourcetype="placeholder" source="placeholder" serial_number="PLACEHOLDER*"| spath logs{} output=logs| stats count by serial_number result logs| eval _raw=logs| spath test_name output=test_name |spath result output=test_result| table serial_number result test_name test_result How Can I index into the logs{} section and pull out all results dependent on test_name? So, how can I query for logs{}.test_name="Motor" and have the result yield : {"test_name": "Motor", "R_rpm_ugc": 1525.0, "R_rpm": 1475, "R_v_ugc": 160.0, "R_v": 155, "R_rpm_t": 150, "R_v_t": 160, "R_name": "AUGER 320 R", "F_rpm_ugc": 1533.3333333333333, "F_rpm": 1475, "F_v_ugc": 164.0, "F_v": 182, "F_rpm_t": 150, "F_v_t": 160, "F_name": "AUGER 320 F", "result": "Pass"},
... View more
Labels
- Labels:
-
eval
-
field extraction
-
table
-
timechart
11-28-2023
09:53 AM
"Do mvexpand to split it into separate results. Then do spath" Need more detail please Is there a way to see what the mvexpand returns? feels like debugging queries is next to impossible when spath-ing the mv results what exactly am inputting for? index="factory_mtp_events" | spath "logs{}" output=logs | mvexpand logs | spath input=logs.test_name|
... View more
11-28-2023
07:55 AM
Using SPL and Splunk Search, I would like to search the logs array for each separate test_name and results and create a table with the results
my current query looks something like:
index="factory_mtp_events" | spath logs{}.test_name | search "logs{}.test_name"="Sample Test1"
{
logs: [
{
result: Pass
test_name: Sample Test1
{
result: Pass
test_name: Sample Test2
}
{
received: 4
result: Pass
test_name: Sample Test3
}
{
expected: sample
received: sample
result: Pass
test_name: Sample Test4
}
{
expected: 1 A S
received: 1 A S
result: Pass
test_name: Sample Test5
}
{
expected: 1
reason: Sample Reason
received: 1
result: Pass
test_name: Sample Test6
}
{
pt1: 25000
pt1_recieved: 25012.666666666668
pt2: 20000
pt2_recieved: 25015.333333333332
pt3: 15000
pt3_recieved: 25017.0
result: Fail
test_name: Sample Test7
}
{
result: Pass
test_name: Sample Test8
tolerance: + or - 5 C
recieved_cj: 239
user_temp: 250
}
{
expected: Open, Short, and Load verified OK.
pt1: 2
pt1_recieved: 0
pt2: 1
pt2_received: 0
result: Fail
test_name: Sample Test9
}
{
pt1: 2070
pt1_tolerance: 2070
pt1_received: 540
pt2: 5450
pt2_tolerance: 2800
pt2_received: 538
result: Fail
test_name: Sample Test10
}
{
expected: Soft Start verified by operator
received: Soft Start verified
result: Pass
test_name: Sample Test11
}
{
F_name: AUGER 320 F
F_rpm: 1475
F_rpm_t: 150
F_rpm_received: 1500
F_v: 182
F_v_t: 160
F_v_received: 173
R_name: AUGER 320 R
R_rpm: 1475
R_rpm_t: 150
R_rpm_received: 1450
R_v: 155
R_v_t: 160
R_v_ugc: 154.66666666666666
result: Pass
test_name: Sample Test12
}
{
result: Pass
rpm: 2130
rpm_t: 400
test_name: Sample Test13
received_rpm: 2126.6666666666665
received_v: 615.6666666666666
v: 630
v_t: 160
}
]
result: Fail
serial_number: XXXXXXXXXXXsample
type: Test
What is the purpose of the brackets after logs? I assume regex must be used to get the result from each test? How do I pull results from each test into a table containing the results of every separate log?
I would like the table for each test to look something like:
** Sample Test1**
Expected Actual Serial No.
X
X
XXXXXXXsample
Y
Z
XXXXXX2sample
... View more
Labels
- Labels:
-
chart
-
field extraction
-
fields
-
regex
Contact Me
| Online Status |
Online
|
| Date Last Visited |
a week ago
|
