I have following file containing JSON :
Aug 22 13:50:15 192.168.10.100 {"NETFLOW" : [{"IPSA":"00000000","IPDA":"00000000","L4SP":"0000","L4DP":"0000","PROT":"17","MPLS":"00000","PKTS":"00000001","BYTS":"00000042"},{"IPSA":"ce8f722f","IPDA":"b5da2748","L4SP":"d52a","L4DP":"d52a","PROT":"6","MPLS":"00000","PKTS":"00000003","BYTS":"00000116"}]}
The JSON contains array of netflows.
Every line of JSON is preceded by timestamp and IP address from which the record originated.
I want to create a PIE chart containing count of different values of protocols (field : PROT in JSON). (e.g. In above PROT:17 is one netflow record and PROT:6 is another). The JSON itself is array of such elements and we would have the JSON line logged every second.
I am completely new to Splunk (Using Splunk Enterprise)and from my initial reading looks like I can do it by defining field extraction. But I am completely confused on how to use it. Also the IPSA field is HEX and I would want to convert it into DECIMAL and I do not know how to do it in splunk.
Can somebody help me in directing how basically the JSON field extraction can be achieved such that I can create PIVOT and use it to create charts.
... View more