I'm building a stacked column chart for some of my data via the following query and it works great:
_sourceCategory="<source>" and "<filter>"
| json field=_raw "json_field.key1.key2.key2" as json_value
| json auto field=json_value "v1", "v2", "v3"
| fields -_raw
| timeslice 2m
| avg(v1) as v1_avg,
avg(v2) as v2_avg
avg(v3) as v3_avg
For one of my new datasets however, the keys of the json value are not known ahead of time - I do not know what v1, v2 and v3 are.
I was wondering if it's possible to achieve the same result without knowing these ahead of time?
I found this link which parses the json as a regex, but I have two issues with it:
- It works to aggregate counts, but I can't figure out how I can compute timesliced averages using the same approach
- The fact that I have a well-formatted json object, but am parsing it as a regex makes me feel that I'm doing something incorrectly
Please sign in to leave a comment.