https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292366#M55694 <P>Hi @bseifert14, is that how your JSON looks like?<BR /> It's not really standard JSON and you won't be able to use the spath command with that.<BR /> You need double quotes to delimit your field names and their values when non-numeric, commas to separate the key value pairs, etc.</P> <P>If you do have that kind of JSON, would you mind posting it here using the code sample button above (the one with 1's and 0's) so that no special characters are escaped?</P> <P>Then I can try to help as otherwise trying to convert your events above into standard JSON is going to take longer probably than solving your problem.</P> <P>Thanks,<BR /> J</P> Tue, 27 Mar 2018 08:20:21 GMT javiergn 2018-03-27T08:20:21Z https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292365#M55693 <P>This is my first Splunk question bear with me on my explanation..</P> <P>I have 70 events that all have multiple nested jsons in each event. The framework of two events looks something like this:</P> <PRE><CODE>event1:{ "tests": [ { "expectation": "true" "reality":" true" "test_statistics": { "components": "foo, bar" } } { "expectation": "true" "reality": "false" "test_statistics": { "components": "foo, bar, baz" } } event2:{ "tests": [ { "expectation": "true" "reality": "true" "test_statistics": { "components": "foo, bar, baz" } } { "expectation": "true" "reality": "true" "test_statistics": { "components": "foo, bar" } } </CODE></PRE> <P>Ultimately, I want a query that will count up each component based on the fact that expectation=reality. Therefore, my condition should be that true==true (or in other words.. expectation==reality).</P> <P>For my end goal I'd like to get the true tests grouped by components and the total tests grouped by components. So that, I could then generate a table that matches this format (bold is the column headers)--&gt;</P> <P><STRONG>component</STRONG> | if(<STRONG>True==True</STRONG>) | <STRONG>Total Count</STRONG><BR /> foo | 3 | 4<BR /> bar | 3 | 4<BR /> baz | 1 | 4</P> Mon, 26 Mar 2018 16:28:56 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292365#M55693 bseifert14 2018-03-26T16:28:56Z https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292366#M55694 <P>Hi @bseifert14, is that how your JSON looks like?<BR /> It's not really standard JSON and you won't be able to use the spath command with that.<BR /> You need double quotes to delimit your field names and their values when non-numeric, commas to separate the key value pairs, etc.</P> <P>If you do have that kind of JSON, would you mind posting it here using the code sample button above (the one with 1's and 0's) so that no special characters are escaped?</P> <P>Then I can try to help as otherwise trying to convert your events above into standard JSON is going to take longer probably than solving your problem.</P> <P>Thanks,<BR /> J</P> Tue, 27 Mar 2018 08:20:21 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292366#M55694 javiergn 2018-03-27T08:20:21Z https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292367#M55695 <P>Thanks for the response Javiergn,<BR /> As you directed I attempted to format as close as possible to the correct format. Also, it should be noted that my query looks something like this to begin with:</P> <PRE><CODE>index=events | eventstats max(_time) as maxtime | where _time = maxtime | spath path=tests{} output=tests | mvexpand tests | spath input=tests | makemv delim=", " test_statistics.components </CODE></PRE> Tue, 27 Mar 2018 13:07:30 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292367#M55695 bseifert14 2018-03-27T13:07:30Z https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292368#M55696 <P>OK I think I get it now.</P> <P>See if the following sample I tested on my lab works for you:</P> <PRE><CODE>| makeresults | eval events = " {\"tests\": [ { \"expectation\": \"true\", \"reality\":\"true\", \"test_statistics\": { \"components\": \"foo, bar\" } }, { \"expectation\": \"true\", \"reality\": \"false\", \"test_statistics\": { \"components\": \"foo, bar, baz\" } } ]}|| {\"tests\": [ { \"expectation\": \"true\", \"reality\":\"true\", \"test_statistics\": { \"components\": \"foo, bar, baz\" } }, { \"expectation\": \"true\", \"reality\": \"true\", \"test_statistics\": { \"components\": \"foo, bar\" } } ]}" | eval events = split(events, "||") | mvexpand events | spath input=events path=tests{} output=tests | mvexpand tests | spath input=tests | rename "test_statistics.components" as component | makemv delim="," component | mvexpand component | stats count(eval(match(expectation, reality))) as RealityIsExpectationCount, count as TotalCount by component </CODE></PRE> <P>This would be the output which I understand it is exactly what you were expecting:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4636i60CCF6A78E2D8F68/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 28 Mar 2018 11:01:49 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292368#M55696 javiergn 2018-03-28T11:01:49Z https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292369#M55697 <P>@bseifert14 please do not forget to accept the answer if you are happy with it</P> Tue, 29 May 2018 10:06:45 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-Json-dependent-on-a-condition/m-p/292369#M55697 javiergn 2018-05-29T10:06:45Z