https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628428#M218281 <P>Thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a> for your help.<BR /><BR />I get the correct number of rows (Events(3)) but with empty values.</P> Thu, 26 Jan 2023 08:42:36 GMT sdhiaeddine 2023-01-26T08:42:36Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628310#M218252 <P>Hi,<BR /><BR />Please could you help with parsing this json data to table</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ "list_element": [ { "element": "{\"var1\":\"1.1.8.8:443\",\"var2\":\"1188\"}" }, { "element": "{\"var1\":\"8.8.1.1:443\",\"var2\":\"8811\"}" }, { "element": "{\"var1\":\"1.2.3.4:443\",\"var2\":\"1234\"}" } ] }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The result should look like:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">var1</TD> <TD width="50%">var2</TD> </TR> <TR> <TD width="50%">1.1.8.8:443</TD> <TD width="50%">1188</TD> </TR> <TR> <TD width="50%">8.8.1.1:443</TD> <TD width="50%">8811</TD> </TR> <TR> <TD>1.2.3.4:443</TD> <TD>1234</TD> </TR> </TBODY> </TABLE> Thu, 26 Jan 2023 19:08:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628310#M218252 sdhiaeddine 2023-01-26T19:08:59Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628316#M218253 <LI-CODE lang="markup">| spath list_element{} output=list_element | mvexpand list_element | spath input=list_element | spath input=element | table var1 var2</LI-CODE> Wed, 25 Jan 2023 17:27:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628316#M218253 ITWhisperer 2023-01-25T17:27:24Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628428#M218281 <P>Thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a> for your help.<BR /><BR />I get the correct number of rows (Events(3)) but with empty values.</P> Thu, 26 Jan 2023 08:42:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628428#M218281 sdhiaeddine 2023-01-26T08:42:36Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628433#M218283 <P>It sounds like your example isn't a close enough match to your actual events. Here is a example of it working correctly with your sample data.</P><LI-CODE lang="markup">| makeresults | eval _raw="{ \"list_element\": [ { \"element\": \"{\\\"var1\\\":\\\"1.1.8.8:443\\\",\\\"var2\\\":\\\"1188\\\"}\" }, { \"element\": \"{\\\"var1\\\":\\\"8.8.1.1:443\\\",\\\"var2\\\":\\\"8811\\\"}\" }, { \"element\": \"{\\\"var1\\\":\\\"1.2.3.4:443\\\",\\\"var2\\\":\\\"1234\\\"}\" } ] }" | spath list_element{} output=list_element | mvexpand list_element | spath input=list_element | spath input=element | table var1 var2</LI-CODE><P>If you need any further help, please can you share your actual events, anonymised of course.</P> Thu, 26 Jan 2023 09:10:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628433#M218283 ITWhisperer 2023-01-26T09:10:26Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628439#M218284 <P>This is the actual event format</P><P>&nbsp;</P><LI-CODE lang="markup">{event_disabled: false internal_event_id: 124578_1245 name: ELEMENT_EVENT element_list: {"list_element":[{"element": "{\"var1\":\"1.1.8.8:443\",\"var2\":\"1188\"}"},{"element": "{\"var1\":\"8.8.1.1:443\",\"var2\":\"8811\"}"},{"element": "{\"var1\":\"1.2.3.4:443\",\"var2\":\"1234\"}"}]} phone_number: 123456789 }</LI-CODE><P>&nbsp;</P> Thu, 26 Jan 2023 15:16:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628439#M218284 sdhiaeddine 2023-01-26T15:16:32Z https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628579#M218350 <P>If that is really the actual event, the developers deserve spanking. &nbsp;This is not conformant JSON but near garbage. &nbsp;First off, the nodes are not properly separated by comma. &nbsp;Secondly, keys and text values are not properly quoted all the way through.</P><P>Is it possible that the&nbsp;<STRONG>actual&nbsp;</STRONG>"actual" event format is like this instead?</P><LI-CODE lang="markup">{"event_disabled": false, "internal_event_id": "124578_1245", "name": "ELEMENT_EVENT", "element_list": {"list_element":[{"element": "{\"var1\":\"1.1.8.8:443\",\"var2\":\"1188\"}"},{"element": "{\"var1\":\"8.8.1.1:443\",\"var2\":\"8811\"}"},{"element": "{\"var1\":\"1.2.3.4:443\",\"var2\":\"1234\"}"}]}, "phone_number": 123456789 }</LI-CODE><P>It is extremely important to present accurate data if you want to get concrete help (as opposed to seek general ideas).</P><P>Meanwhile, if the data is as I posted above, Splunk would have already given you a multivalue field named&nbsp;element_list.list_element{}.element. &nbsp;You'll need to run mvexpand on that as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;suggested, then spath again.</P><LI-CODE lang="markup">| mvexpand element_list.list_element{}.element | spath input=element_list.list_element{}.element | table var1 var2</LI-CODE><P>&nbsp;</P> Fri, 27 Jan 2023 07:40:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-this-json-data/m-p/628579#M218350 yuanliu 2023-01-27T07:40:43Z