How to chart a search that returns event with multiple facets that have a name/result pair in Splunk

Question

I am doing the following search:

source="new_relic_insights://NRInsightsAPI_rc_ShopFront_Top10Transactions"
| search *
| head 1

This returns a single event, and within its facets I have a name: xyz and results.sum: 123

The sum corresponds to the name, and I need to chart these on a bar chart.

Here is an example of what is returned:

Raw format:

This is what I have done so far to try to chart it, but because there are multiple values in one row, it doesn't work. Additionally the "total time" values aren't lined up with their corresponding result, for example 58245.xxx should be next to "WebTransaction/MVC/ProductController/Category" but it's not, again I assume this is because of them all being dumped into one row.

Finally, I tried dedup/table to get what I needed and the results.sum line up with each name, however again trying to graph this groups all the values of name as one since they are in one row.

Answer 1

I solved it myself, and then converted my results to a percent of the total of my "sum" which was what I needed!

source="new_relic_insights://NRInsightsAPI_rc_ShopFront_Top10Transactions"
| search *
| head 1
| rename facets{}.name as name, facets{}.results{}.sum as sum
| table name sum
| eval name_sum = mvzip(name, sum)
| mvexpand name_sum
| dedup name_sum
| makemv delim="," name_sum
| eval new_name = mvindex(name_sum, 0)
| eval new_sum = mvindex(name_sum, 1)
| fields new_name, new_sum
| eventstats sum(new_sum) as total
| eval percent=round(new_sum/total*100,2)
| fields - total, new_sum

Answer 2

If you want to split the values so they each have their own rows, you should use mvexpand

It will look something like this

... | mvexpand FIELD_NAME