I'm trying to parse the following JSON data into a timechart "by label". The "data" section is a timestamp and a value. I've managed to get each series into its own event but I can't seem to get anything parse to below the series level;
{
"9": {
"series": [
{
"label": "content",
"data": [
[
1493673985000,
10
],
[
1493673990000,
10
],
[
1493673995000,
10
]
]
},
{
"label": "filters",
"data": [
[
1493673985000,
3
],
[
1493673990000,
3
],
[
1493673995000,
3
]
]
},
{
"label": "total",
"data": [
[
1493673985000,
14
],
[
1493673990000,
14
],
[
1493673995000,
14
]
]
}
]
}
}
By using | spath output=series path="9.series{}" I'm able to get the each series split into an event. I think I just need to extract label, mvzip it with data{0} and data{1} and then mvexpand that but I can't seem to find the syntax that works for that. In then I'd like something that allows me to do something like | eval _time=timestamp| timechart max(value) by label
... View more