https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485600#M83134 <P>Thanks for this also. Can you also show how to search events where field yyy has value "yy-564".. I'm a bit newbie here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Mar 2020 08:01:27 GMT panulpet 2020-03-05T08:01:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485595#M83129 <P>Hello,</P> <P>I have following JSON data coming in:</P> <P>{<BR /> "event_timestamp" : "2020-03-03 T 12:56:54 +0200",<BR /> "file_timestamp" : "",<BR /> "username" : "xxxx",<BR /> "session_id" : "F23AA957F1A494C12F2B21B5A7533FF3",<BR /> "request_id" : "74b9cf97-934c-41cb-b81e-1152f51e28b7",<BR /> "register_id" : [ ],<BR /> "system_id" : "ASDFG",<BR /> "environment" : "LINUX",<BR /> "service_id" : "12355",<BR /> "parameters" : [ {<BR /> "field" : "xxx",<BR /> "value" : "xx-123",<BR /> "search" : false,<BR /> "securityProhibition" : false<BR /> }, {<BR /> "field" : "yyy",<BR /> "value" : "yy-564",<BR /> "search" : false,<BR /> "securityProhibition" : false<BR /> }, {<BR /> "field" : "zzz",<BR /> "value" : "1234433222",<BR /> "search" : false,<BR /> "securityProhibition" : false<BR /> }, {<BR /> "field" : "vvv",<BR /> "value" : "<A href="http://www.google.com" target="_blank">www.google.com</A>",<BR /> "search" : false,<BR /> "securityProhibition" : false<BR /> }, {<BR /> "field" : "qqq",<BR /> "value" : "qwert",<BR /> "search" : false,<BR /> "securityProhibition" : false<BR /> } ],<BR /> "info" : null,<BR /> "error" : [ {<BR /> "code" : "202",<BR /> "message" : "General Error"<BR /> } ],<BR /> "schema_version" : "1.0"<BR /> };</P> <P>I have Dashboard where users can make searches based on given values. For example, users can search events selecting yyy (dropdown) and giving value "yy-564" and Splunk tries to search all events where that can be found. For example here I populate the search like this: index=myindex (parameters{}.field="yyy" AND parameters{}.value="yy-564").. That works but it also finds the events where that value "yy-564" is on another parameter field like in zzz.</P> <P>Any Ideas on how should I make this to work the correct way. So that It would only match inside parameters field "yyy" and it's corresponding value "yy-564"?</P> <P>Thanks</P> Wed, 30 Sep 2020 04:27:45 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485595#M83129 panulpet 2020-09-30T04:27:45Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485596#M83130 <PRE><CODE>| makeresults | eval _raw="{\"event_timestamp\":\"2020-03-03 T 12:56:54 +0200\",\"file_timestamp\":\"\",\"username\":\"xxxx\",\"session_id\":\"F23AA957F1A494C12F2B21B5A7533FF3\",\"request_id\":\"74b9cf97-934c-41cb-b81e-1152f51e28b7\",\"register_id\":[],\"system_id\":\"ASDFG\",\"environment\":\"LINUX\",\"service_id\":\"12355\",\"parameters\":[{\"field\":\"xxx\",\"value\":\"xx-123\",\"search\":false,\"securityProhibition\":false},{\"field\":\"yyy\",\"value\":\"yy-564\",\"search\":false,\"securityProhibition\":false},{\"field\":\"zzz\",\"value\":\"1234433222\",\"search\":false,\"securityProhibition\":false},{\"field\":\"vvv\",\"value\":\"www.google.com\",\"search\":false,\"securityProhibition\":false},{\"field\":\"qqq\",\"value\":\"qwert\",\"search\":false,\"securityProhibition\":false}],\"info\":null,\"error\":[{\"code\":\"202\",\"message\":\"General Error\"}],\"schema_version\":\"1.0\"}\";" | spath path=parameters{} output=parameters | spath | stats values(*) as * by parameters | spath input=parameters | fields - parameters* | rename error{}.* as * </CODE></PRE> <P>if you make table like above, search is easy way.</P> Wed, 04 Mar 2020 22:23:45 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485596#M83130 to4kawa 2020-03-04T22:23:45Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485597#M83131 <P>Thanks for this. Still wondering how to search from that table <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 05 Mar 2020 04:59:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485597#M83131 panulpet 2020-03-05T04:59:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485598#M83132 <P>referring to @to4kawa SPL, I performed minor changes to achieve the result </P> <P>Try this </P> <PRE><CODE>| makeresults | eval json="{\"event_timestamp\":\"2020-03-03 T 12:56:54 +0200\",\"file_timestamp\":\"\",\"username\":\"xxxx\",\"session_id\":\"F23AA957F1A494C12F2B21B5A7533FF3\",\"request_id\":\"74b9cf97-934c-41cb-b81e-1152f51e28b7\",\"register_id\":[],\"system_id\":\"ASDFG\",\"environment\":\"LINUX\",\"service_id\":\"12355\",\"parameters\":[{\"field\":\"xxx\",\"value\":\"xx-123\",\"search\":false,\"securityProhibition\":false},{\"field\":\"yyy\",\"value\":\"yy-564\",\"search\":false,\"securityProhibition\":false},{\"field\":\"zzz\",\"value\":\"1234433222\",\"search\":false,\"securityProhibition\":false},{\"field\":\"vvv\",\"value\":\"www.google.com\",\"search\":false,\"securityProhibition\":false},{\"field\":\"qqq\",\"value\":\"qwert\",\"search\":false,\"securityProhibition\":false}],\"info\":null,\"error\":[{\"code\":\"202\",\"message\":\"General Error\"}],\"schema_version\":\"1.0\"}\";" | rex "(?&lt;json&gt;\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition </CODE></PRE> Thu, 05 Mar 2020 05:52:28 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485598#M83132 sumanssah 2020-03-05T05:52:28Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485599#M83133 <PRE><CODE>.... | search field="yyy" </CODE></PRE> Thu, 05 Mar 2020 06:43:47 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485599#M83133 to4kawa 2020-03-05T06:43:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485600#M83134 <P>Thanks for this also. Can you also show how to search events where field yyy has value "yy-564".. I'm a bit newbie here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Mar 2020 08:01:27 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485600#M83134 panulpet 2020-03-05T08:01:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485601#M83135 <P>Or maybe like this - populating new search after that:</P> <P>| search field="yyy" value="yy-564" </P> <P>? Am I right?</P> Thu, 05 Mar 2020 08:14:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485601#M83135 panulpet 2020-03-05T08:14:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485602#M83136 <P>I'm near to get this working as I want <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>index=myindex | rex "(?&lt;json&gt;\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition | search field="*" value="*" | table event_timestamp request_id service_id system_id parameters{}.field parameters{}.value _raw </CODE></PRE> <P>The only thing here is that earlier "parameters{}.field and parameters{}.value" populated table with all values. Now that part is empty. How I "print" all field names and values to table from that certain event? Did you get the point <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 05 Mar 2020 09:10:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485602#M83136 panulpet 2020-03-05T09:10:51Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485603#M83137 <P>Thanks for this!</P> Thu, 05 Mar 2020 09:35:41 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485603#M83137 panulpet 2020-03-05T09:35:41Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485604#M83138 <PRE><CODE>Or I added that myValue=fieldValue which solved my case :) Thanks I'' accept this answer!! index=myindex | rex "(?&lt;json&gt;\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) **|eval myValue=fieldValue** | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition </CODE></PRE> Fri, 06 Mar 2020 06:06:58 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485604#M83138 panulpet 2020-03-06T06:06:58Z https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485605#M83139 <P>Hi, I noticed later on that mvexpand command shows "dublicate" events on search results on the table when searching using wildcards (*). Is is possible to prevent that or can we make query without mvexpand?</P> Wed, 18 Mar 2020 05:17:48 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-search-show-results-from-JSON/m-p/485605#M83139 panulpet 2020-03-18T05:17:48Z