https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387395#M69486 <PRE><CODE> { "event": { "time": "2019-02-10T05:52:03", "StatsMonitor": { "time": "2019-02-10T05:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 26 } } } AND { "action": { "StatsMonitor": { "time": "2019-02-10T05:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 26 } } , "action": { "StatsMonitorx": { "time": "2019-01-10T06:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 52 } } } </CODE></PRE> Wed, 13 Feb 2019 16:51:25 GMT brutecat 2019-02-13T16:51:25Z https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387393#M69484 <P>Hi,</P> <P>I am doing some experimentation wirh regards JSON events. I have two events loaded:</P> <P>{<BR /> "event":<BR /> {<BR /> "time": "2019-02-10T05:52:03",<BR /> "StatsMonitor": {<BR /> "time": "2019-02-10T05:52:03",<BR /> "name": "StatsMonitor",<BR /> "LocalTimetDelta": 0,<BR /> "CaptureTimetDelta": 0,<BR /> "DeltaTimeAuditLog": 0,<BR /> "ActiveUsers": 26<BR /> }<BR /> }</P> <P>}</P> <P>and</P> <P>{<BR /> "action":<BR /> {<BR /> "StatsMonitor": {<BR /> "time": "2019-02-10T05:52:03",<BR /> "name": "StatsMonitor",<BR /> "LocalTimetDelta": 0,<BR /> "CaptureTimetDelta": 0,<BR /> "DeltaTimeAuditLog": 0,<BR /> "ActiveUsers": 26<BR /> }<BR /> }<BR /> ,<BR /> "action":<BR /> {<BR /> "StatsMonitorx": {<BR /> "time": "2019-01-10T06:52:03",<BR /> "name": "StatsMonitor",<BR /> "LocalTimetDelta": 0,<BR /> "CaptureTimetDelta": 0,<BR /> "DeltaTimeAuditLog": 0,<BR /> "ActiveUsers": 52<BR /> }<BR /> }</P> <P>}</P> <P>The index I am using is 'conship'</P> <P>I have a search:</P> <P>index=conship | spath <BR /> path=event.StatsMonitor<BR /> | rename event.time as time, event.StatsMonitor.* as * <BR /> | table time ActiveUsers</P> <P>which is returning both events as results, but has duplicate data coming from the first (which is the correct data).</P> <P>I would have thought:</P> <P>spath path=event.StatsMonitor</P> <P>would have eliminated the data altogether from the second event. Perhaps I could get a blank line, but why am I getting a duplicate from the correct event.</P> <P>Thanks,</P> <P>Stan</P> Wed, 13 Feb 2019 15:58:37 GMT https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387393#M69484 brutecat 2019-02-13T15:58:37Z https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387394#M69485 <P>@brutecat</P> <P>Can you please share sample events using precode block (101010 in text editor) ?</P> Wed, 13 Feb 2019 16:41:19 GMT https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387394#M69485 kamlesh_vaghela 2019-02-13T16:41:19Z https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387395#M69486 <PRE><CODE> { "event": { "time": "2019-02-10T05:52:03", "StatsMonitor": { "time": "2019-02-10T05:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 26 } } } AND { "action": { "StatsMonitor": { "time": "2019-02-10T05:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 26 } } , "action": { "StatsMonitorx": { "time": "2019-01-10T06:52:03", "name": "StatsMonitor", "LocalTimetDelta": 0, "CaptureTimetDelta": 0, "DeltaTimeAuditLog": 0, "ActiveUsers": 52 } } } </CODE></PRE> Wed, 13 Feb 2019 16:51:25 GMT https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387395#M69486 brutecat 2019-02-13T16:51:25Z https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387396#M69487 <P>Sorry - I realise the search was also cobbled. The asterisk was dropped:</P> <PRE><CODE>index=conship | spath path=event.StatsMonitor | rename event.time as time, event.StatsMonitor.* as * | table time ActiveUsers </CODE></PRE> Thu, 14 Feb 2019 02:07:20 GMT https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387396#M69487 brutecat 2019-02-14T02:07:20Z https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387397#M69488 <P>Hello @brutecat,</P> <P>the bellow does the trick</P> <PRE><CODE>| makeresults | eval _raw="{ \"event\": { \"time\": \"2019-02-10T05:52:03\", \"StatsMonitor\": { \"time\": \"2019-02-10T05:52:03\", \"name\": \"StatsMonitor\", \"LocalTimetDelta\": 0, \"CaptureTimetDelta\": 0, \"DeltaTimeAuditLog\": 0, \"ActiveUsers\": 26 } }, \"action\": { \"StatsMonitor\": { \"time\": \"2019-02-10T05:52:03\", \"name\": \"StatsMonitor\", \"LocalTimetDelta\": 0, \"CaptureTimetDelta\": 0, \"DeltaTimeAuditLog\": 0, \"ActiveUsers\": 26 } } , \"action\": { \"StatsMonitor\": { \"time\": \"2019-01-10T06:52:03\", \"name\": \"StatsMonitor\", \"LocalTimetDelta\": 0, \"CaptureTimetDelta\": 0, \"DeltaTimeAuditLog\": 0, \"ActiveUsers\": 52 } } }" | spath | rename event.time as time | spath path=event | rename event.StatsMonitor.* as * | table time ActiveUsers </CODE></PRE> Tue, 27 Aug 2019 08:39:44 GMT https://community.splunk.com/t5/Getting-Data-In/Dropping-blank-paths-in-a-JSON-search/m-p/387397#M69488 poete 2019-08-27T08:39:44Z