topic Re: Nested JSON field in Splunk Search

Nested JSON field

melvincorneliss — Wed, 20 Feb 2019 11:20:44 GMT

Hi I'm trying to do a count within my JSON logs. It's about the following data. I want to do a count for the extension_attribute with the name xxx-enrolled base on the value. How can I parse through this data? stats count is what I'm after.

{
"computer": {
"extension_attributes": [
{
"id": 1,
"name": "xxx-enrolled",
"type": "String",
"value": "3"
},
{
"id": 7,
"name": "xxx-filevault",
"type": "String",
"value": "FileVault is On."
},
{
"id": 4,
"name": "xxx-initial-hostname",
"type": "String",
"value": "xxxx-2i3l"
},
{
"id": 5,
"name": "Host name",
"type": "String",
"value": "xxxx-2i3l"
},
{
"id": 2,
"name": "Last User",
"type": "String",
"value": ""
},
]
}
}

Re: Nested JSON field

jason_prondak — Tue, 29 Sep 2020 23:23:39 GMT

You can try using spath to parse it first. Then pull out the fields.

| makeresults

| eval raw="{ \"computer\": { \"extension_attributes\": [ { \"id\": 1, \"name\": \"xxx-enrolled\", \"type\": \"String\", \"value\": \"3\" }, { \"id\": 7, \"name\": \"xxx-filevault\", \"type\": \"String\", \"value\": \"FileVault is On.\" }, { \"id\": 4, \"name\": \"xxx-initial-hostname\", \"type\": \"String\", \"value\": \"xxxx-2i3l\" }, { \"id\": 5, \"name\": \"Host name\", \"type\": \"String\", \"value\": \"xxxx-2i3l\" }, { \"id\": 2, \"name\": \"Last User\", \"type\": \"String\", \"value\": \"\" }, { \"id\": 5, \"name\": \"xxx-enrolled\", \"type\": \"String\", \"value\": \"10\" }, ] } }"
| rename raw AS _raw
| spath

| rename computer.extension_attributes{}.name AS name
| stats count by name

Re: Nested JSON field

woodcock — Thu, 21 Feb 2019 05:54:56 GMT

What should the exact output be?