Skip to content

Commit

Permalink
Another example
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmuth
tmuth authored Apr 30, 2020
1 parent 0ec26c0 commit b858ea3
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,13 @@ Split a single json event/field into multiple events. Pull a parent value down i
| eval json="{\"fioversion\":\"fio-3.1\",\"timestamp\":1550591003,\"jobs\":[{\"jobname\":\"job1\",\"read\":{\"iops\":1111}},{\"jobname\":\"job2\",\"read\":{\"iops\":2222}}]}"
| jq input=json output=json_new args="-r" split="}" filter=".timestamp as $ts | .jobs[] | {jobname: .jobname, timestamp: $ts,read_iops: .read.iops}"
```
Build on the previous result and expand the json into separate fields you can chart in Splunk
```
| makeresults count=1
| eval json="{\"fioversion\":\"fio-3.1\",\"timestamp\":1550591003,\"jobs\":[{\"jobname\":\"job1\",\"read\":{\"iops\":1111}},{\"jobname\":\"job2\",\"read\":{\"iops\":2222}}]}"
| jq input=json output=json_new args="-r" split="}" filter=".timestamp as $ts | .jobs[] | {jobname: .jobname, timestamp: $ts,read_iops: .read.iops}"
| rex field=json_new "(?msi)(?<json_field>\{.+\}$)"
| spath input=json_field
| eval _time=timestamp
| chart mean(read_iops) by jobname
```

0 comments on commit b858ea3

Please sign in to comment.