Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Converting json map into table

queryaslan
Explorer
‎09-01-2021 02:18 AM

Hi,

I'm trying out the new Splunk dashboard and the goal is to plot users' database document count over time.


The log contains a JSON map with the top 100 users with most documents.  Since user doc-count differs over time the keys will also differ...

"userDocuments"{
   "userA":1836,
   "userD":1197,
   "userB":606,
   "userZ":108062,
   "userE":972,
   "userC":931
 }

I'm having a hard time creating a simple table like this

UserCount
userA1836
userD1197
userB606
userZ108062
userE972
userC931



Any input for a query/changing data structure?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

queryaslan
Explorer
‎09-06-2021 07:03 AM

@kamlesh_vaghela sorry for bothering you but how would you add a timestamp column for the table?

| rex field=_raw "\"(?<Users>[^\"]+)\"\s*\:\s*(?<Count>\d+)" max_match=0 | eval t=mvzip(Users,Count) | stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | eval time=0 | foreach User [eval time=_time]| table Users Count total _time | sort by -Count
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-06-2021 09:27 PM

@queryaslan 

try this.

|rex field=_raw "\"(?<Users>[^\"]+)\"\s*\:\s*(?<Count>\d+)" max_match=0
| eval t=mvzip(Users,Count) |mvexpand t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*"  | table _time Users Count

 

KV 

0 Karma
Reply

queryaslan
Explorer
‎09-01-2021 04:39 AM

@kamlesh_vaghela  Thank you! The only problem I have is that have another map in the log so it will parse values from the map into the table. But I guess i could solve the by looking for "user" as a prefix in the regex or if you have a smarter solution?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-01-2021 04:47 AM

@queryaslan 

Just add 

| search Users="user*"

 

Please check my updated answer.

 

Thanks
KV
▄︻̷̿┻̿═━一   

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-01-2021 03:01 AM

@queryaslan 

Can you please try this?

 

YOUR_SEARCH
|rex field=_raw "\"(?<Users>[^\"]+)\"\s*\:\s*(?<Count>\d+)" max_match=0
| eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table Users Count

 

 

My Sample Search :

 

| makeresults 
| eval _raw="{\"userDocuments\": {\"userA\":1836,\"userD\":1197,\"userB\":606,\"userZ\":108062,\"userE\":972,\"userC\":931}}" 
|rex field=_raw "\"(?<Users>[^\"]+)\"\s*\:\s*(?<Count>\d+)" max_match=0
| eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*"  | table Users Count

 


 

Screenshot 2021-09-01 at 3.31.11 PM.png

 

Thanks
KV
▄︻̷̿┻̿═━一    

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...