topic multi-level nested JSON to table? in Splunk Search https://community.splunk.com/t5/Splunk-Search/multi-level-nested-JSON-to-table/m-p/645447#M223480 <P>There are numerous questions/answers about extracting nested JSON data, but none of those answers seem to apply to what I am attempting to do.</P><P>Given the following JSON data as indexed by Splunk:</P><PRE>{<BR /> "disks": {<BR /> "nvme0n1": {<BR /> "model": "PC401 NVMe SK hynix 512GB",<BR /> "serial": "123",<BR /> "size": "476.94 GiB",<BR /> "size_bytes": 512110190592,<BR /> "type": "ssd",<BR /> },<BR /> "sda": {<BR /> "model": "SK hynix SC401 S",<BR /> "serial": "456",<BR /> "size": "953.87 GiB",<BR /> "size_bytes": 1024209543168,<BR /> "type": "ssd",<BR /> "vendor": "ATA",<BR /> },<BR /> "sdb": {<BR /> "model": "SD/MMC CRW",<BR /> "serial": "789",<BR /> "size": "0 bytes",<BR /> "size_bytes": 0,<BR /> "type": "hdd",<BR /> "vendor": "Generic-"<BR /> },<BR /> }<BR />}</PRE><P>I want to produce a table like this:</P><PRE>&nbsp; host disk model serial size type<BR />--------------------------------------------------------------------------------<BR />myhost.example.org nvme0n1 PC401 NVMe SK hynix 512GB 123 476.94 GiB ssd<BR />myhost.example.org sda SK hynix SC401 S 456 953.87 GiB ssd<BR />myhost.example.org sdb SD/MMC CRW 789 0 bytes hdd<BR />--------------------------------------------------------------------------------</PRE><P>I can go after an individual disk, like so:</P><PRE>search … |<BR />dedup host |<BR />spath output=disk "disks.sda" |<BR />mvexpand disk |<BR />spath input=disk |<BR />table host model serial size type</PRE><P>…but how to perform this step for each disk in the disks array eludes me. Does anyone have any solutions?</P><P>A related question: where is SPL documented to such a degree where one could reasonably understand how to perform this type of extraction? Splunk documents the individual commands, but doesn’t really explain how to tie them together to create more complex actions, and the <A href="https://www.splunk.com/en_us/form/exploring-splunk-search-processing-language-spl-primer-and-cookbook.html" target="_self">Exploring Splunk: Search Processing Language (SPL) Primer and Cookbook</A> doesn’t even come close to explaining how to perform a complex action like this. Are there others tutorials/primers?</P> Thu, 01 Jun 2023 21:31:44 GMT qralston 2023-06-01T21:31:44Z multi-level nested JSON to table? https://community.splunk.com/t5/Splunk-Search/multi-level-nested-JSON-to-table/m-p/645447#M223480 <P>There are numerous questions/answers about extracting nested JSON data, but none of those answers seem to apply to what I am attempting to do.</P><P>Given the following JSON data as indexed by Splunk:</P><PRE>{<BR /> "disks": {<BR /> "nvme0n1": {<BR /> "model": "PC401 NVMe SK hynix 512GB",<BR /> "serial": "123",<BR /> "size": "476.94 GiB",<BR /> "size_bytes": 512110190592,<BR /> "type": "ssd",<BR /> },<BR /> "sda": {<BR /> "model": "SK hynix SC401 S",<BR /> "serial": "456",<BR /> "size": "953.87 GiB",<BR /> "size_bytes": 1024209543168,<BR /> "type": "ssd",<BR /> "vendor": "ATA",<BR /> },<BR /> "sdb": {<BR /> "model": "SD/MMC CRW",<BR /> "serial": "789",<BR /> "size": "0 bytes",<BR /> "size_bytes": 0,<BR /> "type": "hdd",<BR /> "vendor": "Generic-"<BR /> },<BR /> }<BR />}</PRE><P>I want to produce a table like this:</P><PRE>&nbsp; host disk model serial size type<BR />--------------------------------------------------------------------------------<BR />myhost.example.org nvme0n1 PC401 NVMe SK hynix 512GB 123 476.94 GiB ssd<BR />myhost.example.org sda SK hynix SC401 S 456 953.87 GiB ssd<BR />myhost.example.org sdb SD/MMC CRW 789 0 bytes hdd<BR />--------------------------------------------------------------------------------</PRE><P>I can go after an individual disk, like so:</P><PRE>search … |<BR />dedup host |<BR />spath output=disk "disks.sda" |<BR />mvexpand disk |<BR />spath input=disk |<BR />table host model serial size type</PRE><P>…but how to perform this step for each disk in the disks array eludes me. Does anyone have any solutions?</P><P>A related question: where is SPL documented to such a degree where one could reasonably understand how to perform this type of extraction? Splunk documents the individual commands, but doesn’t really explain how to tie them together to create more complex actions, and the <A href="https://www.splunk.com/en_us/form/exploring-splunk-search-processing-language-spl-primer-and-cookbook.html" target="_self">Exploring Splunk: Search Processing Language (SPL) Primer and Cookbook</A> doesn’t even come close to explaining how to perform a complex action like this. Are there others tutorials/primers?</P> Thu, 01 Jun 2023 21:31:44 GMT https://community.splunk.com/t5/Splunk-Search/multi-level-nested-JSON-to-table/m-p/645447#M223480 qralston 2023-06-01T21:31:44Z