https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294864#M56026 <P>@mkamal18, please try the following run anywhere search. Since you are not worried about dsnames and dstypes JSON nodes, I have taken them out while creating test data as per sample provided. This implies actual JSON field name for <CODE>values</CODE>, on using <CODE>spath</CODE> command will change from the one used in this example.</P> <PRE><CODE>| makeresults | eval _raw="{ \"host\": \"test\", \"interval\": 60 , \"plugin\": \"snmp\", \"plugin_instance\": { \"time\": \"1510070934.341\", \"type\": \"ps_count\", \"type_instance\": \"fval3-cp-23800-1_vs30\", \"values\": [45,0]}}" | spath | rename "plugin_instance.values{}" AS "values" | eval name=mvindex(values,0) | eval value=mvindex(values,1) </CODE></PRE> <P>You can pipe <CODE>spath</CODE> command to your raw data to get JSON fields extracted. You will notice the <CODE>*values{}</CODE> field will be multi-valued array. You would need to rename according to its name to simplified name such as <CODE>values</CODE>. Finally use the <CODE>mvindex()</CODE> evaluation function to pull values at 0 and 1 index.</P> <PRE><CODE>&lt;YourBaseSearch&gt; | spath | rename "plugin_instance.values{}" AS "values" | eval name=mvindex(values,0) | eval value=mvindex(values,1) </CODE></PRE> <P>PS: Please change the rename command as per actual original field name for <CODE>*values{}</CODE></P> Thu, 23 Nov 2017 16:27:48 GMT niketn 2017-11-23T16:27:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294862#M56024 <P>Hello,</P> <P>I would like to parse the array called <STRONG>values</STRONG> that contains 45 and 0 <BR /> I want to rename them then 45 as name and 0 as value</P> <P>{ [-] <BR /> dsnames: [ [+] <BR /> ]<BR /><BR /> dstypes: [ [+] <BR /> ]<BR /><BR /> host: test<BR /><BR /> interval: 60 <BR /> plugin: snmp<BR /><BR /> plugin_instance:<BR /><BR /> time: 1510070934.341 <BR /> type: ps_count<BR /><BR /> type_instance: fval3-cp-23800-1_vs30<BR /><BR /> <STRONG>values: [ [-] <BR /> 45 <BR /> 0<BR /><BR /> ]</STRONG> <BR /> }</P> <P>Can you help me please?</P> <P>Thank you in advance</P> Tue, 29 Sep 2020 16:52:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294862#M56024 mkamal18 2020-09-29T16:52:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294863#M56025 <P>Hi @mkamal18,</P> <P>Use <CODE>values{}</CODE> to access <STRONG>values</STRONG> field.</P> <P>Please check my sample search.</P> <PRE><CODE>| makeresults | eval _raw="{\"values\": [\"45\",\"0\"] }" | spath | rename values{} as values </CODE></PRE> <P>Happy Splunking</P> Thu, 23 Nov 2017 16:23:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294863#M56025 kamlesh_vaghela 2017-11-23T16:23:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294864#M56026 <P>@mkamal18, please try the following run anywhere search. Since you are not worried about dsnames and dstypes JSON nodes, I have taken them out while creating test data as per sample provided. This implies actual JSON field name for <CODE>values</CODE>, on using <CODE>spath</CODE> command will change from the one used in this example.</P> <PRE><CODE>| makeresults | eval _raw="{ \"host\": \"test\", \"interval\": 60 , \"plugin\": \"snmp\", \"plugin_instance\": { \"time\": \"1510070934.341\", \"type\": \"ps_count\", \"type_instance\": \"fval3-cp-23800-1_vs30\", \"values\": [45,0]}}" | spath | rename "plugin_instance.values{}" AS "values" | eval name=mvindex(values,0) | eval value=mvindex(values,1) </CODE></PRE> <P>You can pipe <CODE>spath</CODE> command to your raw data to get JSON fields extracted. You will notice the <CODE>*values{}</CODE> field will be multi-valued array. You would need to rename according to its name to simplified name such as <CODE>values</CODE>. Finally use the <CODE>mvindex()</CODE> evaluation function to pull values at 0 and 1 index.</P> <PRE><CODE>&lt;YourBaseSearch&gt; | spath | rename "plugin_instance.values{}" AS "values" | eval name=mvindex(values,0) | eval value=mvindex(values,1) </CODE></PRE> <P>PS: Please change the rename command as per actual original field name for <CODE>*values{}</CODE></P> Thu, 23 Nov 2017 16:27:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294864#M56026 niketn 2017-11-23T16:27:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294865#M56027 <P>Perfect it works, Thanks man!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 23 Nov 2017 16:34:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294865#M56027 mkamal18 2017-11-23T16:34:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294866#M56028 <P>Anytime! Do think of us in case you need further help with your Splunk queries <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 24 Nov 2017 04:03:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-json-array-and-rename-the-values/m-p/294866#M56028 niketn 2017-11-24T04:03:44Z