https://community.splunk.com/t5/Splunk-Search/How-to-get-only-matching-block-values-from-nested-json/m-p/625280#M217361 <P>Hi all,</P> <P>To give a problem background, I am trying to run a map command inside a search to get some values. THE JSON I am trying to access (sample below) has nested JSONs where I only need to read and derive value for the matched block. But as of now, my table command prints 3 rows instead of one (one row for each nested&nbsp; JSON). I would like to print only the matching JSON block and ignore the other.<BR /><BR />I think rex and spath will be required here but it was still printing 3 rows as the final output but I need to print only 1 row. Not sure how to use them correctly to get the results. Please help.<BR /><BR /></P> <P>my sample search:</P> <LI-CODE lang="markup">Index=Dummy X.id=AA11 | eval version=X.version | eval connTrain=X.conTrainId----(value is TR2) | map Index=ABC Y.TrainID=AA11 Y.version=$version$ Sample JSON is given below. In this case, I need to only access TR2 (second block) and print its time and passenger value. In real-time, there can be only 1 JSON block or many and matching block can be at any location in case of multiple blocks. { TrainID=AA11 "TrainData": [ { "ConnectingTrain": { "TR1": { "connectionTime": "59", "TotalPassengers": "44", }, "TR2": { "connectionTime": "33", "TotalPassengers": "47", }, "TR3": { "connectionTime": "51", "TotalPassengers": "27", } } } ] } </LI-CODE> Thu, 29 Dec 2022 04:08:52 GMT chetanN 2022-12-29T04:08:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-only-matching-block-values-from-nested-json/m-p/625280#M217361 <P>Hi all,</P> <P>To give a problem background, I am trying to run a map command inside a search to get some values. THE JSON I am trying to access (sample below) has nested JSONs where I only need to read and derive value for the matched block. But as of now, my table command prints 3 rows instead of one (one row for each nested&nbsp; JSON). I would like to print only the matching JSON block and ignore the other.<BR /><BR />I think rex and spath will be required here but it was still printing 3 rows as the final output but I need to print only 1 row. Not sure how to use them correctly to get the results. Please help.<BR /><BR /></P> <P>my sample search:</P> <LI-CODE lang="markup">Index=Dummy X.id=AA11 | eval version=X.version | eval connTrain=X.conTrainId----(value is TR2) | map Index=ABC Y.TrainID=AA11 Y.version=$version$ Sample JSON is given below. In this case, I need to only access TR2 (second block) and print its time and passenger value. In real-time, there can be only 1 JSON block or many and matching block can be at any location in case of multiple blocks. { TrainID=AA11 "TrainData": [ { "ConnectingTrain": { "TR1": { "connectionTime": "59", "TotalPassengers": "44", }, "TR2": { "connectionTime": "33", "TotalPassengers": "47", }, "TR3": { "connectionTime": "51", "TotalPassengers": "27", } } } ] } </LI-CODE> Thu, 29 Dec 2022 04:08:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-matching-block-values-from-nested-json/m-p/625280#M217361 chetanN 2022-12-29T04:08:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-only-matching-block-values-from-nested-json/m-p/625318#M217374 <P>If you're posting a search, please include it in code block or a preformatted style - it helps reading and prevents the web service from mangling the indentations and so on. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Don't use map if you can avoid it! I know it's tempting, especially for someone new to Splunk (I've been there myself ;-)) but it's usually an attempt to do something in Splunk as you would normally do in other soultion (like SQL). It's most often not the way to go.</P><P>Try to describe what you want to achieve.</P> Tue, 27 Dec 2022 10:24:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-matching-block-values-from-nested-json/m-p/625318#M217374 PickleRick 2022-12-27T10:24:16Z