https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-dynamic-nested-array-coordinates-from-JSON/m-p/442931#M125703 <P>I need help in extracting fields from the dynamically nested array coordinates from JSON. </P> <P>Here is the example data.</P> <P>thirdParty: { [-] <BR /> Adobe Analytics: { [-] <BR /> bytes: 3182<BR /><BR /> end_time: 1726<BR /><BR /> requests: 4<BR /><BR /> serial_time: 212<BR /><BR /> start_time: 773<BR /><BR /> total_user_time: 953<BR /><BR /> }<BR /><BR /> Adobe TypeKit: { [-] <BR /> bytes: 162558 <BR /> end_time: 895<BR /><BR /> requests: 4<BR /><BR /> serial_time: 38 <BR /> start_time: 446<BR /><BR /> total_user_time: 449<BR /><BR /> }<BR /><BR /> Cloudfront: { [-] <BR /> bytes: 21578<BR /><BR /> end_time: 2241<BR /><BR /> requests: 1<BR /><BR /> serial_time: 26 <BR /> start_time: 2215<BR /><BR /> total_user_time: 26 <BR /> } </P> <P>The number of arrays within the ThirdParty array is dynamic. And I need to create a table like this.</P> <PRE><CODE>Site total_user_time Adobe Analytics 953 Adobe TypeKit 449 Cloudfront 26 </CODE></PRE> Tue, 29 Sep 2020 22:27:03 GMT aravindhan_padm 2020-09-29T22:27:03Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-dynamic-nested-array-coordinates-from-JSON/m-p/442931#M125703 <P>I need help in extracting fields from the dynamically nested array coordinates from JSON. </P> <P>Here is the example data.</P> <P>thirdParty: { [-] <BR /> Adobe Analytics: { [-] <BR /> bytes: 3182<BR /><BR /> end_time: 1726<BR /><BR /> requests: 4<BR /><BR /> serial_time: 212<BR /><BR /> start_time: 773<BR /><BR /> total_user_time: 953<BR /><BR /> }<BR /><BR /> Adobe TypeKit: { [-] <BR /> bytes: 162558 <BR /> end_time: 895<BR /><BR /> requests: 4<BR /><BR /> serial_time: 38 <BR /> start_time: 446<BR /><BR /> total_user_time: 449<BR /><BR /> }<BR /><BR /> Cloudfront: { [-] <BR /> bytes: 21578<BR /><BR /> end_time: 2241<BR /><BR /> requests: 1<BR /><BR /> serial_time: 26 <BR /> start_time: 2215<BR /><BR /> total_user_time: 26 <BR /> } </P> <P>The number of arrays within the ThirdParty array is dynamic. And I need to create a table like this.</P> <PRE><CODE>Site total_user_time Adobe Analytics 953 Adobe TypeKit 449 Cloudfront 26 </CODE></PRE> Tue, 29 Sep 2020 22:27:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-dynamic-nested-array-coordinates-from-JSON/m-p/442931#M125703 aravindhan_padm 2020-09-29T22:27:03Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-dynamic-nested-array-coordinates-from-JSON/m-p/442932#M125704 <P>@aravindhan_padmanabhan </P> <P>Can you please try below search?</P> <PRE><CODE>YOUR_SEARCH | spath thirdParty output=_raw | kv | fields *.total_user_time, | fields - thirdParty.* _raw, _time | rename *.total_user_time as * | transpose column_name=Site | rename "row 1" as total_user_time </CODE></PRE> <P>My Sample Search:</P> <PRE><CODE>| makeresults | eval _raw="{\"thirdParty\": {\"Adobe Analytics\": {\"bytes\": \"3182\",\"end_time\": \"1726\",\"requests\": \"4\",\"serial_time\": \"212\",\"start_time\": \"773\",\"total_user_time\": \"953\"},\"Adobe TypeKit\": {\"bytes\": \"162558\",\"end_time\": \"895\",\"requests\": \"4\",\"serial_time\": \"38\",\"start_time\": \"446\",\"total_user_time\": \"449\"},\"Cloudfront\": {\"bytes\": \"21578\",\"end_time\": \"2241\",\"requests\": \"1\",\"serial_time\": \"26\",\"start_time\": \"2215\",\"total_user_time\": \"26\"}}}" | kv | spath thirdParty output=_raw | kv | fields *.total_user_time, | fields - thirdParty.* _raw, _time | rename *.total_user_time as * | transpose column_name=Site | rename "row 1" as total_user_time </CODE></PRE> <P>Thanks</P> Fri, 21 Dec 2018 09:55:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-dynamic-nested-array-coordinates-from-JSON/m-p/442932#M125704 kamlesh_vaghela 2018-12-21T09:55:14Z