https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466552#M80376 <PRE><CODE>| makeresults | eval _raw="{\"uid\":\"a82ee257\",\"name\":\"Throughput Utilization\",\"axisXType\":\"DateTime\",\"elementReports\":[{\"element\":{\"id\":\"001\",\"name\":\"NS-001\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"3242d4e4\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.0},{\"x\":1551051300000,\"y\":3.1},{\"x\":1551136800000,\"y\":7.4},{\"x\":1551137100000,\"y\":1.6}],\"e\":1}]},{\"element\":{\"id\":\"002\",\"name\":\"NS-002\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"4654d4e4\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.3},{\"x\":1551051300000,\"y\":0.0},{\"x\":1551051600000,\"y\":0.0},{\"x\":1551137100000,\"y\":2.12}],\"e\":1}]},{\"element\":{\"id\":\"003\",\"name\":\"NS-003\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"2481d4e6\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.0},{\"x\":1551051300000,\"y\":0.0},{\"x\":1551051900000,\"y\":0.0},{\"x\":1551136800000,\"y\":0.0}],\"e\":1}]},{\"element\":{\"id\":\"004\",\"name\":\"NS-004\",\"type\":\"NetworkSegment\"},\"series\":[]}]}" | rex mode=sed "s/.({\s*\"element)/#\1/g" | makemv delim="#" _raw | stats count by _raw | rename COMMENT as "this is your sample with LINE_BREAKER. From here, the logic" | spath path=series{}.data{} output=data | stats values(_raw) as _raw by data | spath input=data | spath | fields - _* series{}.data{}* data </CODE></PRE> <P>props.conf</P> <PRE><CODE>[json_sample] TRUNCATE = 0 SHOULD_LINEMERGE = false LINE_BREAKER = (.){\s*\"element </CODE></PRE> <P>I made SPL with your setting.</P> <HR /> <PRE><CODE>| makeresults | eval _raw="{ \"uid\" : \"a82ee257\", \"name\" : \"Throughput Utilization\", \"axisXType\" : \"DateTime\", \"elementReports\" : [ { \"element\" : { \"id\" : \"001\", \"name\" : \"NS-001\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"3242d4e4\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.0 }, { \"x\" : 1551051300000, \"y\" : 3.1 }, { \"x\" : 1551136800000, \"y\" : 7.4 }, { \"x\" : 1551137100000, \"y\" : 1.6 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"002\", \"name\" : \"NS-002\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"4654d4e4\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.3 }, { \"x\" : 1551051300000, \"y\" : 0.0 }, { \"x\" : 1551051600000, \"y\" : 0.0 }, { \"x\" : 1551137100000, \"y\" : 2.12 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"003\", \"name\" : \"NS-003\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"2481d4e6\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.0 }, { \"x\" : 1551051300000, \"y\" : 0.0 }, { \"x\" : 1551051900000, \"y\" : 0.0 }, { \"x\" : 1551136800000, \"y\" : 0.0 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"004\", \"name\" : \"NS-004\", \"type\" : \"NetworkSegment\" }, \"series\" : [ ] } ] }" | spath path=elementReports{} output=elementReports | mvexpand elementReports | spath input=elementReports path=series{}.data{} output=data | mvexpand data | spath input=elementReports | spath input=data | fields - series{}.data* elementReports data _* | rename series{}.* as * </CODE></PRE> <P>props.conf</P> <PRE><CODE>[json_sample] TRUNCATE = 0 SHOULD_LINEMERGE = false KV_MODE = JSON </CODE></PRE> <P>Isn't it okay if you don't divide it?</P> Sat, 04 Apr 2020 04:21:06 GMT to4kawa 2020-04-04T04:21:06Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466551#M80375 <P>Hello everyone,</P> <P>I having issues using Splunk to read and extract fields from this JSON file.<BR /> I would appreciate any help.</P> <P><STRONG>json data</STRONG></P> <PRE><CODE>{ "uid" : "a82ee257", "name" : "Throughput Utilization", "axisXType" : "DateTime", "elementReports" : [ { "element" : { "id" : "001", "name" : "NS-001", "type" : "NetworkSegment" }, "series" : [ { "uid" : "3242d4e4", "instance" : "0", "name" : "Utilization", "data" : [ { "x" : 1551051000000, "y" : 0.0 }, { "x" : 1551051300000, "y" : 3.1 }, { "x" : 1551136800000, "y" : 7.4 }, { "x" : 1551137100000, "y" : 1.6 } ], "e" : 1 } ] }, { "element" : { "id" : "002", "name" : "NS-002", "type" : "NetworkSegment" }, "series" : [ { "uid" : "4654d4e4", "instance" : "0", "name" : "Utilization", "data" : [ { "x" : 1551051000000, "y" : 0.3 }, { "x" : 1551051300000, "y" : 0.0 }, { "x" : 1551051600000, "y" : 0.0 }, { "x" : 1551137100000, "y" : 2.12 } ], "e" : 1 } ] }, { "element" : { "id" : "003", "name" : "NS-003", "type" : "NetworkSegment" }, "series" : [ { "uid" : "2481d4e6", "instance" : "0", "name" : "Utilization", "data" : [ { "x" : 1551051000000, "y" : 0.0 }, { "x" : 1551051300000, "y" : 0.0 }, { "x" : 1551051900000, "y" : 0.0 }, { "x" : 1551136800000, "y" : 0.0 } ], "e" : 1 } ] }, { "element" : { "id" : "004", "name" : "NS-004", "type" : "NetworkSegment" }, "series" : [ ] } ] } </CODE></PRE> <P><STRONG>Here is my setting:</STRONG></P> <PRE><CODE>[json_sample] TRUNCATE = 0 SHOULD_LINEMERGE=false LINE_BREAKER = (,*){\s+"element" </CODE></PRE> <P><STRONG>Here is what I am expecting:</STRONG></P> <PRE><CODE>element.id,element.name,element.type,element.series.uid,element.series.instance,element.series.name,data.x,data.y,,,, 001,NS-001,NetworkSegment,3242d4e4,0,Utilization,1551051000000,0.0,,,, 001,NS-001,NetworkSegment,3242d4e4,0,Utilization,1551051300000,3.1,,,, 001,NS-001,NetworkSegment,3242d4e4,0,Utilization,1551136800000,7.4,,,, 001,NS-001,NetworkSegment,3242d4e4,0,Utilization,1551137100000,1.6,,,, 002,NS-002,NetworkSegment,4654d4e4,0,Utilization,1551051000000,0.3,,,, 002,NS-002,NetworkSegment,4654d4e4,0,Utilization,1551051300000,0.0,,,, 002,NS-002,NetworkSegment,4654d4e4,0,Utilization,1551136800000,0.0,,,, 002,NS-002,NetworkSegment,4654d4e4,0,Utilization,1551137100000,2.12,,,, 003,NS-003,NetworkSegment,2481d4e6,0,Utilization,1551051000000,,,,, 003,NS-003,NetworkSegment,2481d4e6,0,Utilization,1551051300000,,,,, 003,NS-003,NetworkSegment,2481d4e6,0,Utilization,1551136800000,,,,, 003,NS-003,NetworkSegment,2481d4e6,0,Utilization,1551137100000,,,,, </CODE></PRE> Fri, 03 Apr 2020 16:26:32 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466551#M80375 dvmodeste 2020-04-03T16:26:32Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466552#M80376 <PRE><CODE>| makeresults | eval _raw="{\"uid\":\"a82ee257\",\"name\":\"Throughput Utilization\",\"axisXType\":\"DateTime\",\"elementReports\":[{\"element\":{\"id\":\"001\",\"name\":\"NS-001\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"3242d4e4\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.0},{\"x\":1551051300000,\"y\":3.1},{\"x\":1551136800000,\"y\":7.4},{\"x\":1551137100000,\"y\":1.6}],\"e\":1}]},{\"element\":{\"id\":\"002\",\"name\":\"NS-002\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"4654d4e4\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.3},{\"x\":1551051300000,\"y\":0.0},{\"x\":1551051600000,\"y\":0.0},{\"x\":1551137100000,\"y\":2.12}],\"e\":1}]},{\"element\":{\"id\":\"003\",\"name\":\"NS-003\",\"type\":\"NetworkSegment\"},\"series\":[{\"uid\":\"2481d4e6\",\"instance\":\"0\",\"name\":\"Utilization\",\"data\":[{\"x\":1551051000000,\"y\":0.0},{\"x\":1551051300000,\"y\":0.0},{\"x\":1551051900000,\"y\":0.0},{\"x\":1551136800000,\"y\":0.0}],\"e\":1}]},{\"element\":{\"id\":\"004\",\"name\":\"NS-004\",\"type\":\"NetworkSegment\"},\"series\":[]}]}" | rex mode=sed "s/.({\s*\"element)/#\1/g" | makemv delim="#" _raw | stats count by _raw | rename COMMENT as "this is your sample with LINE_BREAKER. From here, the logic" | spath path=series{}.data{} output=data | stats values(_raw) as _raw by data | spath input=data | spath | fields - _* series{}.data{}* data </CODE></PRE> <P>props.conf</P> <PRE><CODE>[json_sample] TRUNCATE = 0 SHOULD_LINEMERGE = false LINE_BREAKER = (.){\s*\"element </CODE></PRE> <P>I made SPL with your setting.</P> <HR /> <PRE><CODE>| makeresults | eval _raw="{ \"uid\" : \"a82ee257\", \"name\" : \"Throughput Utilization\", \"axisXType\" : \"DateTime\", \"elementReports\" : [ { \"element\" : { \"id\" : \"001\", \"name\" : \"NS-001\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"3242d4e4\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.0 }, { \"x\" : 1551051300000, \"y\" : 3.1 }, { \"x\" : 1551136800000, \"y\" : 7.4 }, { \"x\" : 1551137100000, \"y\" : 1.6 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"002\", \"name\" : \"NS-002\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"4654d4e4\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.3 }, { \"x\" : 1551051300000, \"y\" : 0.0 }, { \"x\" : 1551051600000, \"y\" : 0.0 }, { \"x\" : 1551137100000, \"y\" : 2.12 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"003\", \"name\" : \"NS-003\", \"type\" : \"NetworkSegment\" }, \"series\" : [ { \"uid\" : \"2481d4e6\", \"instance\" : \"0\", \"name\" : \"Utilization\", \"data\" : [ { \"x\" : 1551051000000, \"y\" : 0.0 }, { \"x\" : 1551051300000, \"y\" : 0.0 }, { \"x\" : 1551051900000, \"y\" : 0.0 }, { \"x\" : 1551136800000, \"y\" : 0.0 } ], \"e\" : 1 } ] }, { \"element\" : { \"id\" : \"004\", \"name\" : \"NS-004\", \"type\" : \"NetworkSegment\" }, \"series\" : [ ] } ] }" | spath path=elementReports{} output=elementReports | mvexpand elementReports | spath input=elementReports path=series{}.data{} output=data | mvexpand data | spath input=elementReports | spath input=data | fields - series{}.data* elementReports data _* | rename series{}.* as * </CODE></PRE> <P>props.conf</P> <PRE><CODE>[json_sample] TRUNCATE = 0 SHOULD_LINEMERGE = false KV_MODE = JSON </CODE></PRE> <P>Isn't it okay if you don't divide it?</P> Sat, 04 Apr 2020 04:21:06 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466552#M80376 to4kawa 2020-04-04T04:21:06Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466553#M80377 <P>Thanks to4kawa.<BR /> you did great job. it is working.<BR /> could you please help me understand this ?</P> <P>| rex mode=sed "s/.({\s*\"element)/#\1/g"<BR /> | makemv delim="#" _raw<BR /> | stats count by _raw<BR /> | rename COMMENT as "this is your sample with LINE_BREAKER. From here, the logic"<BR /> | spath path=series{}.data{} output=data<BR /> | stats values(_raw) as _raw by data<BR /> | spath input=data<BR /> | spath<BR /> | fields - _* series{}.data{}* data</P> Wed, 30 Sep 2020 04:53:57 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466553#M80377 dvmodeste 2020-09-30T04:53:57Z https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466554#M80378 <PRE><CODE>| rex mode=sed "s/.({\s*\"element)/#\1/g" | makemv delim="#" _raw | stats count by _raw | rename COMMENT as "this is your sample with LINE_BREAKER. From here, the logic" | spath path=series{}.data{} output=data | stats values(_raw) as _raw by data | spath input=data | spath | fields - series{}.data{} data </CODE></PRE> <UL> <LI><CODE>rex</CODE> makes delimiter <CODE>#</CODE> <CODE>LINE_BREAKER = (.){\s*\"element</CODE> ≒ <CODE>| rex mode=sed "s/.({\s*\"element)/#\1/g" | makemv delim="#" _raw</CODE> <CODE>.(dot)</CODE> is break point.</LI> <LI> from <CODE>| spath path=series{}.data{} output=data</CODE>, try line by line and check result.</LI> <LI><CODE>stats</CODE> is an alternative to <CODE>mvexpand</CODE>.</LI> <LI>two <CODE>spath</CODE> extract the required fields.</LI> <LI>at last, remove extra fields.</LI> </UL> Wed, 08 Apr 2020 07:20:02 GMT https://community.splunk.com/t5/Getting-Data-In/Issues-with-Parsing-JSON/m-p/466554#M80378 to4kawa 2020-04-08T07:20:02Z