https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432708#M123645 <P>Hi, <BR /> i need a special result, but i dont know how to iterate over an associative array. </P> <P>Here is this JSON-Events: </P> <P>Event 1:</P> <PRE><CODE>{ "created": "28\/May\/2018:06:24:00 +0200", "response": { "products": { "1": { "id": 10, "price": 120 }, "2": { "id": 20, "price": 65 }, "3": { "id": 30, "price": 80 } } } } </CODE></PRE> <P>Event 2:</P> <PRE><CODE>{ "created": "30\/May\/2018:08:10:00 +0200", "response": { "products": { "1": { "id": 40, "price": 120 }, "2": { "id": 50, "price": 65 } } } } </CODE></PRE> <P>And i need the folowing result: </P> <PRE><CODE>ID Price ------------------- 10 120 20 65 ... 50 65 </CODE></PRE> <P>Any idea? <BR /> Many thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 31 May 2018 10:29:51 GMT Roger_FB 2018-05-31T10:29:51Z https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432708#M123645 <P>Hi, <BR /> i need a special result, but i dont know how to iterate over an associative array. </P> <P>Here is this JSON-Events: </P> <P>Event 1:</P> <PRE><CODE>{ "created": "28\/May\/2018:06:24:00 +0200", "response": { "products": { "1": { "id": 10, "price": 120 }, "2": { "id": 20, "price": 65 }, "3": { "id": 30, "price": 80 } } } } </CODE></PRE> <P>Event 2:</P> <PRE><CODE>{ "created": "30\/May\/2018:08:10:00 +0200", "response": { "products": { "1": { "id": 40, "price": 120 }, "2": { "id": 50, "price": 65 } } } } </CODE></PRE> <P>And i need the folowing result: </P> <PRE><CODE>ID Price ------------------- 10 120 20 65 ... 50 65 </CODE></PRE> <P>Any idea? <BR /> Many thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 31 May 2018 10:29:51 GMT https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432708#M123645 Roger_FB 2018-05-31T10:29:51Z https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432709#M123646 <P>The best approach would be to store arrays as arrays. Once you have that, you can use this to get to the individual array elements:</P> <PRE><CODE> | spath response.products | mvexpand response.products | spath input=response.products </CODE></PRE> <P>The way your data is structured right now is that you have unknown/unbounded field/object names. Without known field/object names, how do you access fields/objects?</P> Thu, 31 May 2018 11:42:54 GMT https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432709#M123646 martin_mueller 2018-05-31T11:42:54Z https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432710#M123647 <P>@Roger_FB </P> <P>Can you please try this?</P> <PRE><CODE>YOUR_SEARCH | eval id="",price="" | foreach response.products.*.id [ eval id=id.if(id=="","",if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",",")).if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",'&lt;&lt;FIELD&gt;&gt;')] | foreach response.products.*.price [ eval price=price.if(price=="","",if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",",")).if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",'&lt;&lt;FIELD&gt;&gt;')] | eval id=split(id,","),price=split(price,","),temp=mvzip(id,price) | mvexpand temp | table temp | eval id=mvindex(split(temp,","),0),price=mvindex(split(temp,","),1) | table id price </CODE></PRE> <P><STRONG>My Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval _raw="{ \"created\": \"28\/May\/2018:06:24:00 +0200\", \"response\": {\"products\": { \"1\": { \"id\": 10,\"price\": 120}, \"2\": { \"id\": 20,\"price\": 65}, \"3\": { \"id\": 30,\"price\": 80 } } } }" | append [| makeresults | eval _raw="{\"created\": \"30\/May\/2018:08:10:00 +0200\",\"response\": {\"products\": {\"1\": {\"id\": 40,\"price\": 120},\"2\": {\"id\": 50,\"price\": 65}}}}"] | kv | eval id="",price="" | foreach response.products.*.id [ eval id=id.if(id=="","",if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",",")).if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",'&lt;&lt;FIELD&gt;&gt;') ] | foreach response.products.*.price [ eval price=price.if(price=="","",if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",",")).if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",'&lt;&lt;FIELD&gt;&gt;') ] | eval id=split(id,","),price=split(price,","),temp=mvzip(id,price) | mvexpand temp | table temp | eval id=mvindex(split(temp,","),0),price=mvindex(split(temp,","),1) | table id price </CODE></PRE> <P>Thanks</P> Mon, 21 Jan 2019 11:34:41 GMT https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/432710#M123647 kamlesh_vaghela 2019-01-21T11:34:41Z https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/525668#M148365 <P>Hey! Thanks so much for this!! The OP's problem was nearly identical to mine. I'm parsing thru Ansible's win_update JSon and they put in this stupid GUID thing for an object name...anyway...</P><P>I didn't know about having to pre populate my field for the foreach! I can't tell you how many hours and hours I spent wondering why, oh why, doesn't my foreach concatonation work???</P><P>I am totally stealing this from you.&nbsp;</P><LI-CODE lang="markup">| eval upd_kb="" | foreach ansible_result.filtered_updates.*.kb{} [eval upd_kb=upd_kb.if(upd_kb=="","",if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",",")).if(isnull('&lt;&lt;FIELD&gt;&gt;'),"",'&lt;&lt;FIELD&gt;&gt;') ] | table upd_kb</LI-CODE><P>I'm not sure if I'll need the isnull check, but it sure couldn't hurt to have!</P><P>Thanks!!</P><P>J</P> Wed, 21 Oct 2020 02:17:41 GMT https://community.splunk.com/t5/Splunk-Search/How-handle-JSON-Event-with-associative-Array/m-p/525668#M148365 indigo42 2020-10-21T02:17:41Z