@girishkhadke
I worked upon a similar json data format except for the HEX to Number conversion,
I took the following steps to obtain pie-charts , I guess you can make a similar attempt too.
My JSon format :---- P.S. The original format is huge, so i kept this short, you may find field names missing with the query associated below.
{
"thread": "7",
"level": "INFO" ,
"eventTime": "2015-08-13 15:05:51.1162752",
"message":
{
"date": "Thu Aug 13 2015 15:05:50 GMT-0500 (Central Daylight Time)",
"id": "btnvoe",
"outerText": "EMPLOYMENT",
"eventType": "click",
"transactionId": "9c9a713a-ae01-4299-8577-ee9293730f0c",
"browserName": "Chrome",
"browserVersion": "44",
"pageName": "Verification",
"oSNameVersion": "Windows 7",
}
}
I guess you don't need to go for separate field extractions which usually results into regex patterns.
You can try SPATH command , basically it works like pulling out fields in the form of Object DOT attribute name.
Here's my query.
index=csfindex_apilogger message.pageName=Instant OR message.pageName=InstantIncome message.id=btnNext message.appName=CSF-Poc
|table _time,message.sessionId,message.userName,message.id,message.pageName
|spath
|rename message.sessionId as sessionId,message.userName as userName,message.id as id
|where len(sessionId)>0
|eval userName= if(len(userName)=0 or isnull(userName),"Unknown user",userName)
|dedup sessionId,userName
|chart count(sessionId) as TotalSessions over userName
|sort-TotalSessions
|streamstats count as rank
|search rank>=1 rank<=4
after using spath just pullout whatever json fields you need and table them for further operations.
Here you can also declare an eval command to switch the HEX to number , refer their documentation for the appropriate command set.
And for creating pies , one must have 1 count field against a group by
... View more