topic Re: Create Splunk Table from nested json output in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535246#M89767 <P>Saved my day. This works perfectly. Thank you so much!!</P> Fri, 08 Jan 2021 19:26:46 GMT niddhi 2021-01-08T19:26:46Z Create Splunk Table from nested json output https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535133#M89754 <P>Hi,</P><P>Can someone please help me create a Splunk Table from the below data:</P><P>&nbsp;</P><LI-CODE lang="markup">{ "cd":[ { "cn":"cust-1", "s":"api", "ps":61, "fs":94, "es":142, "ud":[ { "un":"user-0", "ps":61, "fs":94, "es":142, "ad":[ { "at":"asset2", "ps":61, "fs":94, "es":142, "ttd":[ { "tt":null, "ps":61, "fs":94, "es":142 } ] } ] } ] }, { "cn":"cust-2", "s":"api", "ps":727, "fs":152, "es":26, "ud":[ { "un":"user-6", "ps":725, "fs":149, "es":21, "ad":[ { "at":"asset1", "ps":722, "fs":149, "es":20, "ttd":[ { "tt":null, "ps":722, "fs":149, "es":20 } ] }, { "at":"asset2", "ps":3, "fs":0, "es":1, "ttd":[ { "tt":null, "ps":3, "fs":0, "es":1 } ] } ] }, { "un":"user1", "ps":1, "fs":0, "es":0, "ad":[ { "at":"asset1", "ps":1, "fs":0, "es":0, "ttd":[ { "tt":null, "ps":1, "fs":0, "es":0 } ] } ] }, { "un":"user2", "ps":1, "fs":3, "es":5, "ad":[ { "at":"asset2", "ps":1, "fs":3, "es":5, "ttd":[ { "tt":null, "ps":1, "fs":3, "es":5 } ] } ] } ] }, { "cn":"cust-3", "s":"api", "ps":0, "fs":1, "es":0, "ud":[ { "un":"user-3", "ps":0, "fs":1, "es":0, "ad":[ { "at":"asset2", "ps":0, "fs":1, "es":0, "ttd":[ { "tt":null, "ps":0, "fs":1, "es":0 } ] } ] } ] }, { "cn":"cust-4", "s":"api", "ps":1, "fs":4, "es":22, "ud":[ { "un":"user-4", "ps":1, "fs":4, "es":22, "ad":[ { "at":"asset1", "ps":1, "fs":4, "es":22, "ttd":[ { "tt":null, "ps":1, "fs":4, "es":22 } ] } ] } ] } ] }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I want the output to be like:</P><TABLE border="1" width="100.00000000000001%"><TBODY><TR><TD width="16.666666666666668%" height="25px">cn</TD><TD width="16.666666666666668%" height="25px">un</TD><TD width="16.666666666666668%" height="25px">at</TD><TD width="16.666666666666668%" height="25px">tt</TD><TD width="16.666666666666668%" height="25px">ps</TD><TD width="8.333333333333334%" height="25px">fs</TD><TD width="8.333333333333334%" height="25px">es</TD></TR><TR><TD width="16.666666666666668%" height="40px">cust-1</TD><TD width="16.666666666666668%" height="40px"><P>user-0</P></TD><TD width="16.666666666666668%" height="40px"><P>asset2</P></TD><TD width="16.666666666666668%" height="40px">null</TD><TD width="16.666666666666668%" height="40px">61</TD><TD width="8.333333333333334%" height="40px">94</TD><TD width="8.333333333333334%" height="40px">142</TD></TR><TR><TD width="16.666666666666668%" height="151px">cust-2</TD><TD width="16.666666666666668%" height="151px"><P>user-6</P><P>&nbsp;</P><P>user1</P><P>user2</P></TD><TD width="16.666666666666668%" height="151px"><P>asset1</P><P>asset2</P><P>asset1</P><P>asset2</P></TD><TD width="16.666666666666668%" height="151px"><P>null</P><P>null</P><P>null</P><P>null</P></TD><TD width="16.666666666666668%" height="151px"><P>722</P><P>3</P><P>1</P><P>1</P></TD><TD width="8.333333333333334%" height="151px"><P>149</P><P>0</P><P>0</P><P>3</P></TD><TD width="8.333333333333334%" height="151px"><P>20</P><P>1</P><P>0</P><P>5</P></TD></TR><TR><TD height="25px">cust-3</TD><TD height="25px">user-3</TD><TD height="25px">asset2</TD><TD height="25px">null</TD><TD height="25px">0</TD><TD height="25px">1</TD><TD height="25px">0</TD></TR><TR><TD>cust4</TD><TD>user-4</TD><TD>asset1</TD><TD>null</TD><TD>1</TD><TD>4</TD><TD>22</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thanks in advance.</P> Fri, 08 Jan 2021 01:15:20 GMT https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535133#M89754 niddhi 2021-01-08T01:15:20Z Re: Create Splunk Table from nested json output https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535158#M89755 <LI-CODE lang="markup">| makeresults | eval _raw="{ \"cd\":[ { \"cn\":\"cust-1\", \"s\":\"api\", \"ps\":61, \"fs\":94, \"es\":142, \"ud\":[ { \"un\":\"user-0\", \"ps\":61, \"fs\":94, \"es\":142, \"ad\":[ { \"at\":\"asset2\", \"ps\":61, \"fs\":94, \"es\":142, \"ttd\":[ { \"tt\":null, \"ps\":61, \"fs\":94, \"es\":142 } ] } ] } ] }, { \"cn\":\"cust-2\", \"s\":\"api\", \"ps\":727, \"fs\":152, \"es\":26, \"ud\":[ { \"un\":\"user-6\", \"ps\":725, \"fs\":149, \"es\":21, \"ad\":[ { \"at\":\"asset1\", \"ps\":722, \"fs\":149, \"es\":20, \"ttd\":[ { \"tt\":null, \"ps\":722, \"fs\":149, \"es\":20 } ] }, { \"at\":\"asset2\", \"ps\":3, \"fs\":0, \"es\":1, \"ttd\":[ { \"tt\":null, \"ps\":3, \"fs\":0, \"es\":1 } ] } ] }, { \"un\":\"user1\", \"ps\":1, \"fs\":0, \"es\":0, \"ad\":[ { \"at\":\"asset1\", \"ps\":1, \"fs\":0, \"es\":0, \"ttd\":[ { \"tt\":null, \"ps\":1, \"fs\":0, \"es\":0 } ] } ] }, { \"un\":\"user2\", \"ps\":1, \"fs\":3, \"es\":5, \"ad\":[ { \"at\":\"asset2\", \"ps\":1, \"fs\":3, \"es\":5, \"ttd\":[ { \"tt\":null, \"ps\":1, \"fs\":3, \"es\":5 } ] } ] } ] }, { \"cn\":\"cust-3\", \"s\":\"api\", \"ps\":0, \"fs\":1, \"es\":0, \"ud\":[ { \"un\":\"user-3\", \"ps\":0, \"fs\":1, \"es\":0, \"ad\":[ { \"at\":\"asset2\", \"ps\":0, \"fs\":1, \"es\":0, \"ttd\":[ { \"tt\":null, \"ps\":0, \"fs\":1, \"es\":0 } ] } ] } ] }, { \"cn\":\"cust-4\", \"s\":\"api\", \"ps\":1, \"fs\":4, \"es\":22, \"ud\":[ { \"un\":\"user-4\", \"ps\":1, \"fs\":4, \"es\":22, \"ad\":[ { \"at\":\"asset1\", \"ps\":1, \"fs\":4, \"es\":22, \"ttd\":[ { \"tt\":null, \"ps\":1, \"fs\":4, \"es\":22 } ] } ] } ] } ] }" | spath path=cd{} output=cd | fields - _* | mvexpand cd | spath input=cd path=ud{} output=ud | rex field=cd "\"cn\":\"(?&lt;cn&gt;[^\"]+)" | fields - cd | mvexpand ud | spath input=ud path=ad{} output=ad | rex field=ud "\"un\":\"(?&lt;un&gt;[^\"]+)" | fields - ud | mvexpand ad | spath input=ad path=ttd{} output=ttd | rex field=ad "\"at\":\"(?&lt;at&gt;[^\"]+)" | fields - ad | spath input=ttd | fields - ttd | table cn un at tt ps fs es</LI-CODE> Fri, 08 Jan 2021 08:24:54 GMT https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535158#M89755 ITWhisperer 2021-01-08T08:24:54Z Re: Create Splunk Table from nested json output https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535246#M89767 <P>Saved my day. This works perfectly. Thank you so much!!</P> Fri, 08 Jan 2021 19:26:46 GMT https://community.splunk.com/t5/Getting-Data-In/Create-Splunk-Table-from-nested-json-output/m-p/535246#M89767 niddhi 2021-01-08T19:26:46Z