https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547269#M91097 <P>Hi people,</P><P>First of all I'm still newbie with Splunk, but I'm trying to extract fields from a JSON sent by the Admin Report API from Google and I'm having trouble.&nbsp;</P><P>Here is a sample JSON:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"kind": "admin#reports#activity", "id": {"time": "2021-04-08T19:21:27.595Z", "uniqueQualifier": "-0987654321", "applicationName": "chat", "customerId": "C0123456A"}, "etag": "\"giant/string\"", "actor": {"callerType": "USER", "email": "mail@acme.com", "profileId": "1234567890"}, "events": [{"type": "user_action", "name": "message_posted", "parameters": [{"name": "room_id", "value": "ABCDEFGH"}, {"name": "timestamp_ms", "value": "1617909687595199"}, {"name": "actor", "value": "mail@acme.com"}, {"name": "message_id", "value": "ZYXWVUTS"}, {"name": "retention_state", "value": "PERMANENT"}, {"name": "room_name", "value": ""}]}]}</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>What I want is to create some counts/dashboards with fields from "parameters" along with others, but they all have the same name in this nest.</P><P>This is what I came with, but all the "name" and "value" strings are grouped:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| spath path=events{}. output=events | mvexpand events | rename events as _raw | extract | rename parameters{}.name as pname, parameters{}.value as pvalue | table _time pname pvalue</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Also I don't know if this can be done with the search parameters only (sorry If I'm talking nonsense).</P><P>Thanks</P> Thu, 08 Apr 2021 21:13:42 GMT bsdd04 2021-04-08T21:13:42Z https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547269#M91097 <P>Hi people,</P><P>First of all I'm still newbie with Splunk, but I'm trying to extract fields from a JSON sent by the Admin Report API from Google and I'm having trouble.&nbsp;</P><P>Here is a sample JSON:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"kind": "admin#reports#activity", "id": {"time": "2021-04-08T19:21:27.595Z", "uniqueQualifier": "-0987654321", "applicationName": "chat", "customerId": "C0123456A"}, "etag": "\"giant/string\"", "actor": {"callerType": "USER", "email": "mail@acme.com", "profileId": "1234567890"}, "events": [{"type": "user_action", "name": "message_posted", "parameters": [{"name": "room_id", "value": "ABCDEFGH"}, {"name": "timestamp_ms", "value": "1617909687595199"}, {"name": "actor", "value": "mail@acme.com"}, {"name": "message_id", "value": "ZYXWVUTS"}, {"name": "retention_state", "value": "PERMANENT"}, {"name": "room_name", "value": ""}]}]}</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>What I want is to create some counts/dashboards with fields from "parameters" along with others, but they all have the same name in this nest.</P><P>This is what I came with, but all the "name" and "value" strings are grouped:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| spath path=events{}. output=events | mvexpand events | rename events as _raw | extract | rename parameters{}.name as pname, parameters{}.value as pvalue | table _time pname pvalue</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Also I don't know if this can be done with the search parameters only (sorry If I'm talking nonsense).</P><P>Thanks</P> Thu, 08 Apr 2021 21:13:42 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547269#M91097 bsdd04 2021-04-08T21:13:42Z https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547271#M91098 <P>Perhaps this will help as far as extracting fields and values</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2021-04-08T19:21:27.595Z\", \"uniqueQualifier\": \"-0987654321\", \"applicationName\": \"chat\", \"customerId\": \"C0123456A\"}, \"etag\": \"\\\"giant/string\\\"\", \"actor\": {\"callerType\": \"USER\", \"email\": \"mail@acme.com\", \"profileId\": \"1234567890\"}, \"events\": [{\"type\": \"user_action\", \"name\": \"message_posted\", \"parameters\": [{\"name\": \"room_id\", \"value\": \"ABCDEFGH\"}, {\"name\": \"timestamp_ms\", \"value\": \"1617909687595199\"}, {\"name\": \"actor\", \"value\": \"mail@acme.com\"}, {\"name\": \"message_id\", \"value\": \"ZYXWVUTS\"}, {\"name\": \"retention_state\", \"value\": \"PERMANENT\"}, {\"name\": \"room_name\", \"value\": \"\"}]}]}" | spath path=events{}. output=events | spath input=events path=parameters{} output=parameters | mvexpand parameters | spath input=parameters | eval {name}=value | stats values(*) as * by events | fields - parameters name value events</LI-CODE> Thu, 08 Apr 2021 21:31:21 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547271#M91098 ITWhisperer 2021-04-08T21:31:21Z https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547428#M91112 <P>That's perfect! I still need to grasp my understanting of mv and spath commands though...&nbsp;<span class="lia-unicode-emoji" title=":thinking_face:">🤔</span></P> Fri, 09 Apr 2021 18:12:18 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-values-from-nested-JSON-with-same-name-fields/m-p/547428#M91112 bsdd04 2021-04-09T18:12:18Z