I'm having serious issues in Splunk related to searching Json structures.
I really don't understand why Json isn't easier to search, considering that Splunk recognises the structure and allows you to expand it in syntax highlighted mode.
The issue that i'm having is that it appears to be impossible to search for a simple table of
value.data.timestamp value.name.localizedValue value.data.count
ultimately across multiple value.name.localizedValue entries, in order to try and do a timechart that shows metrics over time, or to be able to use this data inside ITSI as metrics for KPIs.
Above is one expanded data node, of which inside this value node, there are multiple data nodes each with this structure. Each data node contains one type of name.localizedValue (effectively the metric name).
I have tried, unsuccessfully, to use spath and mvexpand (admittantly, i don't fully understand these commands, and how they are used to their best effect) and I can't get them to format the data in the way i want to display it. But at the same time, why should we have to put over 500 characters into a search bar in order to search this type of structured data?
If the solution is ultimately to flatten the data so that you can search it, why have json at all?
The way i'd expect to see the data is like:
Table:
| value.data.timestamp | value.name.localizedValue | value.data.count
| 2019-01-23T13:10:00Z | CPU Time | 15
| 2019-01-23T13:11:00Z | CPU Time | 16
As an aside, is there any way to make this process easier?
... View more