https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167587#M33916 <P>I am trying to parse information from a json file, but am having difficulty doing this.<BR /> Here is my sample json file:</P> <P><CODE>{<BR /> "message":"OK",<BR /> "status":200,<BR /> "responseEntity":[<BR /> {<BR /> "counters":{<BR /> "SearchResult.close()":{<BR /> "name":"SearchResult.close()",<BR /> "count":42,<BR /> "max":9.0,<BR /> "min":0.0<BR /> }<BR /> },<BR /> "errors":{<BR /> },<BR /> "groupDescription":"Counters",<BR /> "groupName":"Group01"<BR /> },<BR /> {<BR /> "counters":{<BR /> "SearchResult.close()":{<BR /> "name":"SearchResult.close()",<BR /> "count":7,<BR /> "max":8.0,<BR /> "min":7.0<BR /> }<BR /> },<BR /> "errors":{<BR /> },<BR /> "groupDescription":"Counters",<BR /> "groupName":"Group2"<BR /> }</CODE></P> <P>I want to be able to filter the value for "SearchResult.close().count" for groupName "group2", however I am unable to do that. I tried</P> <BLOCKQUOTE> <P>| spath path=responseEntity{}.groupName output=groupName | mvexpand groupName |</P> </BLOCKQUOTE> <P>But when I filter by json_group, I still get ALL values(responseEntity{}.counters.SearchResult.close().count values would be both 42, and 7)</P> <P>inputs.conf file<BR /><BR /> [monitor://\HOST01\groupInfo.json]<BR /><BR /> disabled = 0<BR /><BR /> followTail = false<BR /><BR /> host = HOST01<BR /><BR /> sourcetype = JSON Testing<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>props.conf file<BR /><BR /> [JSON Testing]<BR /><BR /> TRUNCATE = 0<BR /><BR /> KV_MODE = json </P> <P>Is there a way that I can filter by groupName, then only get values that are associated with that group name, for count, max, min etc? Or is there an issue with my json file itself?</P> <P>Thank you</P> Thu, 27 Feb 2014 01:53:31 GMT lain179 2014-02-27T01:53:31Z https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167587#M33916 <P>I am trying to parse information from a json file, but am having difficulty doing this.<BR /> Here is my sample json file:</P> <P><CODE>{<BR /> "message":"OK",<BR /> "status":200,<BR /> "responseEntity":[<BR /> {<BR /> "counters":{<BR /> "SearchResult.close()":{<BR /> "name":"SearchResult.close()",<BR /> "count":42,<BR /> "max":9.0,<BR /> "min":0.0<BR /> }<BR /> },<BR /> "errors":{<BR /> },<BR /> "groupDescription":"Counters",<BR /> "groupName":"Group01"<BR /> },<BR /> {<BR /> "counters":{<BR /> "SearchResult.close()":{<BR /> "name":"SearchResult.close()",<BR /> "count":7,<BR /> "max":8.0,<BR /> "min":7.0<BR /> }<BR /> },<BR /> "errors":{<BR /> },<BR /> "groupDescription":"Counters",<BR /> "groupName":"Group2"<BR /> }</CODE></P> <P>I want to be able to filter the value for "SearchResult.close().count" for groupName "group2", however I am unable to do that. I tried</P> <BLOCKQUOTE> <P>| spath path=responseEntity{}.groupName output=groupName | mvexpand groupName |</P> </BLOCKQUOTE> <P>But when I filter by json_group, I still get ALL values(responseEntity{}.counters.SearchResult.close().count values would be both 42, and 7)</P> <P>inputs.conf file<BR /><BR /> [monitor://\HOST01\groupInfo.json]<BR /><BR /> disabled = 0<BR /><BR /> followTail = false<BR /><BR /> host = HOST01<BR /><BR /> sourcetype = JSON Testing<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>props.conf file<BR /><BR /> [JSON Testing]<BR /><BR /> TRUNCATE = 0<BR /><BR /> KV_MODE = json </P> <P>Is there a way that I can filter by groupName, then only get values that are associated with that group name, for count, max, min etc? Or is there an issue with my json file itself?</P> <P>Thank you</P> Thu, 27 Feb 2014 01:53:31 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167587#M33916 lain179 2014-02-27T01:53:31Z https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167588#M33917 <P>There is a long and storied history with this kind of use case (breaking up json data in this way). Unfortunately, all of the solutions are as elegant as a drunken hippo in a bouncy castle.</P> <P>Here's something that might work:</P> <P><CODE>| spath output=groupName path=responseEntity{}.groupName | rename responseEntity{}.counters.SearchResult.close().count AS count | eval x=mvzip(groupName,count)|mvexpand x|eval x=split(x,",")|eval groupName = mvindex(x,0)|eval count = mvindex(x,1)| table groupName,count </CODE></P> <P>What's going on here is we're zipping together the values (in order) of the two fields (with mvzip) then turning those into separate events based on the field (with mvexpand), then splitting those zipped fields into their original components (with split and mvindex).</P> Tue, 04 Mar 2014 01:44:15 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167588#M33917 bboe 2014-03-04T01:44:15Z https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167589#M33918 <P>This worked perfectly, and when i added | where groupName="Group2" <BR /> I was finally able to only get a single value!(Which is one of the things I was having a lot of trouble with)</P> Tue, 04 Mar 2014 18:12:27 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-values-from-a-JSON-file/m-p/167589#M33918 lain179 2014-03-04T18:12:27Z