Splunk create Pie chart from JSON map

Question

my application logs everyday a json containing a map for a Pie chart.

For example this JSON:

{
  "telemetryEventName": "active-deliveries",
  "telemetryData": [
    {
      "id": "1",
      "name": "repo-01",
      "gitTextsInformation": [
        {
          "key": "es-ES",
          "value": "47"
        },
        {
          "key": "pt-BR",
          "value": "46"
        }
      ]
    },
    {
      "id": "2",
      "name": "repo-02",
      "gitTextsInformation": [
        {
          "key": "es-ES",
          "value": "12"
        },
        {
          "key": "pt-BR",
          "value": "13"
        }
      ]
    }
  ]
}

It cames from a log message, and I'd like to create a Pie chart for each gitTextsInformation

I already tried to create a table:

"index"="main" "kubernetes.container_name"="..." logger_name=telemetryLogger message.telemetryEventName="..."
| head 1 
| table message.telemetryData{}.gitTextsInformation{}.key message.telemetryData{}.gitTextsInformation{}.value

But it is not working as a search for creating the Pie chart

Answer 1

The problem is there is only one event, which makes for an uninteresting pie chart. Yes, there are multiple data points in that event, but Splunk cannot plot multi-value fields. The workaround is to put each data point into its own event.

The mvexpand command will break a multi-value field into multiple events, but it only works with one field. Using mvexpand on one field and then another breaks the association between the fields. To maintain the relationship between keys and values, we first have to combine them into a single field, run mvexpand, then separate the keys and values.

index=main "kubernetes.container_name"="..." logger_name=telemetryLogger message.telemetryEventName="..."
| head 1 
``` Combine the keys and values to retain their relationships ```
| eval data=mvzip('telemetryData{}.gitTextsInformation{}.key', 'telemetryData{}.gitTextsInformation{}.value')
``` Put each key/value pair into their own event ```
| mvexpand data
``` Put keys and values into their own fields ```
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| table key value

Answer 2

Try this, you can use spath to process

| makeresults 
| eval data ="{\"telemetryEventName\":\"active-deliveries\",\"telemetryData\":[{\"id\":\"1\",\"name\":\"repo-01\",\"gitTextsInformation\":[{\"key\":\"es-ES\",\"value\":\"47\"},{\"key\":\"pt-BR\",\"value\":\"46\"}]},{\"id\":\"2\",\"name\":\"repo-02\",\"gitTextsInformation\":[{\"key\":\"es-ES\",\"value\":\"12\"},{\"key\":\"pt-BR\",\"value\":\"13\"}]}]}" 
| spath input=data path="telemetryData{}" output=telemetryData 
| mvexpand telemetryData 
| table telemetryData 
| spath input=telemetryData path="name" output=name 
| spath input=telemetryData path="gitTextsInformation{}" output=gitTextsInformation 
| table name, gitTextsInformation 
| mvexpand gitTextsInformation 
| spath input=gitTextsInformation 
| stats values(value) by key, name

If you need separate pie charts for each repo name, you can use trellis as below