https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405610#M71982 <P>Thanks @DalJeanis ! </P> Sat, 11 Aug 2018 05:46:30 GMT renjith_nair 2018-08-11T05:46:30Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405607#M71979 <P>(I have no experience in Splunk searches)<BR /> The question is simple: </P> <P>I have a JSON like this:</P> <PRE><CODE>{ "name": "Testdata", "children": [ { "name": "A", "children": [ { "name": "A1", "value": 436 }, { "name": "A2", "value": 546 }, { "name": "A3", "value": 223 }, { "name": "A4", "value": 132 }, { "name": "A5", "value": 115 }, { "name": "A6", "value": 96 }] }, { "name": "B", "children": [ { "name": "B1", "value": 453 }, { "name": "B2", "value": 344 }, { "name": "B3", "value": 35 }, { "name": "B4", "value": 65 }, { "name": "B5", "value": 789 }, { "name": "B6", "value": 648 }, { "name": "B7", "value": 147 }] } ] } </CODE></PRE> <P>and I want a table like this:</P> <PRE><CODE>parent |name |value A |A1 | 436 A |A2 | 546 ... |.. |.. B |B1 |443 </CODE></PRE> <P>(Sorry for the bad drawn table)</P> <P>Thanks for the answers!</P> Fri, 10 Aug 2018 11:34:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405607#M71979 kjubie 2018-08-10T11:34:25Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405608#M71980 <P>Use <CODE>spath</CODE> to parse the json. Here is an example</P> <PRE><CODE>| makeresults |eval json="{ \"name\": \"Testdata\", \"children\": [ { \"name\": \"A\", \"children\": [ { \"name\": \"A1\", \"value\": 436 }, { \"name\": \"A2\", \"value\": 546 }, { \"name\": \"A3\", \"value\": 223 }, { \"name\": \"A4\", \"value\": 132 }, { \"name\": \"A5\", \"value\": 115 }, { \"name\": \"A6\", \"value\": 96 }] }, { \"name\": \"B\", \"children\": [ { \"name\": \"B1\", \"value\": 453 }, { \"name\": \"B2\", \"value\": 344 }, { \"name\": \"B3\", \"value\": 35 }, { \"name\": \"B4\", \"value\": 65 }, { \"name\": \"B5\", \"value\": 789 }, { \"name\": \"B6\", \"value\": 648 }, { \"name\": \"B7\", \"value\": 147 }] } ] }" |spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value |rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value |eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped |mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1) |table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match </CODE></PRE> Fri, 10 Aug 2018 13:52:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405608#M71980 renjith_nair 2018-08-10T13:52:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405609#M71981 <P>Converted this to an answer because it answers the question with an excellent run-anywhere example.</P> Sat, 11 Aug 2018 05:36:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405609#M71981 DalJeanis 2018-08-11T05:36:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405610#M71982 <P>Thanks @DalJeanis ! </P> Sat, 11 Aug 2018 05:46:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405610#M71982 renjith_nair 2018-08-11T05:46:30Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405611#M71983 <P>Thanks for your help! Works perfectly!</P> Mon, 13 Aug 2018 07:08:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-write-a-search-query-for-a-hierachial-JSON/m-p/405611#M71983 kjubie 2018-08-13T07:08:57Z