topic Re: Multi field combination for JSON file question in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Multi-field-combination-for-JSON-file-question/m-p/491964#M84091 <P>@darkelfaxe, if your issue is that you are getting a multi-value results from your JSON, try adding the following to your existing query</P> <PRE><CODE>index="main" resource online Status | head 1 | fields "EventData.Values{}.Name" "EventData.Values{}.Status" | rename "EventData.Values{}.*" as "*" | eval EventData=mvzip(Name,Status) | fields EventData | mvexpand EventData | makemv EventData delim="," | eval RESOURCE=mvindex(EventData,0),STATUS=mvindex(EventData,1) | streamstats count as ID | fields ID STATUS RESOURCE </CODE></PRE> <P>Please try out and confirm.<BR /> Following is a run anywhere example based on the sample data provided:</P> <PRE><CODE>| makeresults | eval _raw="{\"EventType\":2,\"EventData\":{\"Values\":[{\"Status\":1,\"Name\":\"BOT1\"},{\"Status\":0,\"Name\":\"BOT2\"},{\"Status\":0,\"Name\":\"BOT3\"},{\"Status\":1,\"Name\":\"BOT4\"}],\"Subject\":\"Resource Online Status\",\"Source\":\"Dashboard\"}}" | spath | head 1 | table "EventData.Values{}.Name" "EventData.Values{}.Status" | rename "EventData.Values{}.*" as "*" | eval EventData=mvzip(Name,Status) | fields EventData | mvexpand EventData | makemv EventData delim="," | eval RESOURCE=mvindex(EventData,0),STATUS=mvindex(EventData,1) | streamstats count as ID | fields ID STATUS RESOURCE </CODE></PRE> <P>PS:<BR /> 1. <CODE>table</CODE> is a transforming command, you should avoid use <CODE>fields</CODE> instead.<BR /> 2. Splunk events are sorted in reverse chronological order by default i.e. <CODE>sort - _time</CODE> just consumes performance if you are only interested in latest event. <BR /> 3. <CODE>head 1</CODE> should be first pipe after index search as it pulls only one event from indexer. This should improve performance of your search.</P> <P>Refer to <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches">Writing Better Searches</A> Splunk documentation to better understand above points.</P> Sun, 15 Mar 2020 19:50:36 GMT niketn 2020-03-15T19:50:36Z Multi field combination for JSON file question https://community.splunk.com/t5/Getting-Data-In/Multi-field-combination-for-JSON-file-question/m-p/491963#M84090 <P>I'm totally new to splunk, I have this JSON file already indexed:</P> <P>{"EventType":2,"EventData":{"Values":[{"Status":1,"Name":"BOT1"},{"Status":0,"Name":"BOT2"},{"Status":0,"Name":"BOT3"},{"Status":1,"Name":"BOT4"}],"Subject":"Resource Online Status","Source":"Dashboard"}}</P> <P>I need to create a table which contains the Values in separate columns like this:</P> <P>ID STATUS RESOURCE<BR /> 1 1 BOT1<BR /> 2 0 BOT2<BR /> 3 0 BOT3<BR /> 4 1 BOT4</P> <P>I'm trying the following:<BR /> index="main" resource online Status | table "EventData.Values{}.Name" "EventData.Values{}.Status" | sort -_time asc | head 1<BR /> But it gives me this:</P> <P>ID EventData.Values{}.Name EventData.Values{}.Status<BR /> 1 BOT1 BOT2 BOT3 BOT4 1 0 0 1</P> <P>How can I combine the two columns to generate the desired format?</P> <P>Thank you!</P> Sun, 15 Mar 2020 17:39:09 GMT https://community.splunk.com/t5/Getting-Data-In/Multi-field-combination-for-JSON-file-question/m-p/491963#M84090 darkelfaxe 2020-03-15T17:39:09Z Re: Multi field combination for JSON file question https://community.splunk.com/t5/Getting-Data-In/Multi-field-combination-for-JSON-file-question/m-p/491964#M84091 <P>@darkelfaxe, if your issue is that you are getting a multi-value results from your JSON, try adding the following to your existing query</P> <PRE><CODE>index="main" resource online Status | head 1 | fields "EventData.Values{}.Name" "EventData.Values{}.Status" | rename "EventData.Values{}.*" as "*" | eval EventData=mvzip(Name,Status) | fields EventData | mvexpand EventData | makemv EventData delim="," | eval RESOURCE=mvindex(EventData,0),STATUS=mvindex(EventData,1) | streamstats count as ID | fields ID STATUS RESOURCE </CODE></PRE> <P>Please try out and confirm.<BR /> Following is a run anywhere example based on the sample data provided:</P> <PRE><CODE>| makeresults | eval _raw="{\"EventType\":2,\"EventData\":{\"Values\":[{\"Status\":1,\"Name\":\"BOT1\"},{\"Status\":0,\"Name\":\"BOT2\"},{\"Status\":0,\"Name\":\"BOT3\"},{\"Status\":1,\"Name\":\"BOT4\"}],\"Subject\":\"Resource Online Status\",\"Source\":\"Dashboard\"}}" | spath | head 1 | table "EventData.Values{}.Name" "EventData.Values{}.Status" | rename "EventData.Values{}.*" as "*" | eval EventData=mvzip(Name,Status) | fields EventData | mvexpand EventData | makemv EventData delim="," | eval RESOURCE=mvindex(EventData,0),STATUS=mvindex(EventData,1) | streamstats count as ID | fields ID STATUS RESOURCE </CODE></PRE> <P>PS:<BR /> 1. <CODE>table</CODE> is a transforming command, you should avoid use <CODE>fields</CODE> instead.<BR /> 2. Splunk events are sorted in reverse chronological order by default i.e. <CODE>sort - _time</CODE> just consumes performance if you are only interested in latest event. <BR /> 3. <CODE>head 1</CODE> should be first pipe after index search as it pulls only one event from indexer. This should improve performance of your search.</P> <P>Refer to <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Writebettersearches">Writing Better Searches</A> Splunk documentation to better understand above points.</P> Sun, 15 Mar 2020 19:50:36 GMT https://community.splunk.com/t5/Getting-Data-In/Multi-field-combination-for-JSON-file-question/m-p/491964#M84091 niketn 2020-03-15T19:50:36Z