https://community.splunk.com/t5/Splunk-Search/Grab-json-value-with-dynamic-key-from-splunk/m-p/692968#M235844 <P>First, thank you for using text to illustrate data, and clearly present desired result. &nbsp;But next time make sure you preserve valid JSON syntax. &nbsp;Your illustrated text is missing quotation marks required by JSON. &nbsp;Correcting for syntax, I assume that the original data would look like</P><P>&nbsp;</P><LI-CODE lang="markup">{ "location": "US", "all_results": { "serial_a": { "result": "PASS", "version": "123", "data":[ "data1", "data2", "data3" ] }, "serial_b": { "result": "PASS", "version": "456", "data":[ "data4", "data5" ] }, "serial_c": { "result": "FAIL", "version": "789", "data":[ "data6", "data7" ] } } }</LI-CODE><P>&nbsp;</P><P>This same ask has come several times recently, and there are several ways to do this. &nbsp;This time, I'll try something new, and less roundabout in logic.</P><P>&nbsp;</P><LI-CODE lang="markup">| fields location | spath path=all_results | fields - _* | eval serial_number = json_array_to_mv(json_keys(all_results)) | mvexpand serial_number | eval all_results = json_extract(all_results, serial_number) | spath input=all_results | fields - all_results | rename data{} as data | eval data = mvjoin(data, ",")</LI-CODE><P>&nbsp;</P><P>You data gives</P><TABLE><TBODY><TR><TD>location</TD><TD>data</TD><TD>result</TD><TD>serial_number</TD><TD>version</TD></TR><TR><TD>US</TD><TD>data1,data2,data3</TD><TD>PASS</TD><TD>serial_a</TD><TD>123</TD></TR><TR><TD>US</TD><TD>data4,data5</TD><TD>PASS</TD><TD>serial_b</TD><TD>456</TD></TR><TR><TD>US</TD><TD>data6,data7</TD><TD>FAIL</TD><TD>serial_c</TD><TD>789</TD></TR></TBODY></TABLE><P>This is an emulation for you to play around and compare with real data</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw = "{ \"location\": \"US\", \"all_results\": { \"serial_a\": { \"result\": \"PASS\", \"version\": \"123\", \"data\":[ \"data1\", \"data2\", \"data3\" ] }, \"serial_b\": { \"result\": \"PASS\", \"version\": \"456\", \"data\":[ \"data4\", \"data5\" ] }, \"serial_c\": { \"result\": \"FAIL\", \"version\": \"789\", \"data\":[ \"data6\", \"data7\" ] } } }" | spath ``` data emulation above ```</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Jul 2024 06:16:58 GMT yuanliu 2024-07-11T06:16:58Z https://community.splunk.com/t5/Splunk-Search/Grab-json-value-with-dynamic-key-from-splunk/m-p/692948#M235834 <P>Hi everyone,</P><P>&nbsp;</P><P>I have a json data payload as below:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">{ location: US all_results: { serial_a: { result: PASS, version: 123, data:[ data1, data2, data3 ] }, serial_b: { result: PASS, version: 456, data:[ data4, data5 ] }, serial_c: { result: FAIL, version: 789, data:[ data6, data7 ] } } }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>and I would like to use splunk query and make a table as:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="25%" height="25px">serial_number&nbsp;</TD><TD width="25%" height="25px">result</TD><TD width="25%" height="25px">version</TD><TD width="25%" height="25px">&nbsp;data</TD></TR><TR><TD height="69px"><DIV><DIV><SPAN>serial_a</SPAN></DIV></DIV></TD><TD height="69px"><DIV><DIV><SPAN>PASS</SPAN></DIV></DIV></TD><TD height="69px">123</TD><TD height="69px"><DIV><DIV><SPAN>data1</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>data2</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>data3</SPAN></DIV></DIV></TD></TR><TR><TD height="47px"><DIV><DIV><SPAN>serial_b</SPAN></DIV></DIV></TD><TD height="47px"><DIV><DIV><SPAN>PASS</SPAN></DIV></DIV></TD><TD height="47px">456</TD><TD height="47px"><DIV><DIV><SPAN>data4</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>data5</SPAN><SPAN>,</SPAN></DIV></DIV></TD></TR><TR><TD height="47px"><DIV><DIV><SPAN>serial_c</SPAN></DIV></DIV></TD><TD height="47px">fail</TD><TD height="47px">789</TD><TD height="47px"><DIV><DIV><SPAN>data6</SPAN><SPAN>,</SPAN></DIV><DIV><SPAN>data7</SPAN></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>how to use splunk query to organize the result?<BR />I know I'm able to grab the data by:<BR />| spath path=all_results output=all_results<BR />| eval all_results=json_extract(all_results)</P><P>The difficult part is at the&nbsp;serial_number. They have some common prefix serial, but it's dynamic. Therefore , when I try to&nbsp;grab the data inside serial_number, for example version, I'm not able to use query like:<BR />| spath&nbsp; output=version path=all_result.serial*.version<BR /><BR /></P><P>Could you give me some idea to do that? thank you!</P> Thu, 11 Jul 2024 00:45:56 GMT https://community.splunk.com/t5/Splunk-Search/Grab-json-value-with-dynamic-key-from-splunk/m-p/692948#M235834 darrfang 2024-07-11T00:45:56Z https://community.splunk.com/t5/Splunk-Search/Grab-json-value-with-dynamic-key-from-splunk/m-p/692968#M235844 <P>First, thank you for using text to illustrate data, and clearly present desired result. &nbsp;But next time make sure you preserve valid JSON syntax. &nbsp;Your illustrated text is missing quotation marks required by JSON. &nbsp;Correcting for syntax, I assume that the original data would look like</P><P>&nbsp;</P><LI-CODE lang="markup">{ "location": "US", "all_results": { "serial_a": { "result": "PASS", "version": "123", "data":[ "data1", "data2", "data3" ] }, "serial_b": { "result": "PASS", "version": "456", "data":[ "data4", "data5" ] }, "serial_c": { "result": "FAIL", "version": "789", "data":[ "data6", "data7" ] } } }</LI-CODE><P>&nbsp;</P><P>This same ask has come several times recently, and there are several ways to do this. &nbsp;This time, I'll try something new, and less roundabout in logic.</P><P>&nbsp;</P><LI-CODE lang="markup">| fields location | spath path=all_results | fields - _* | eval serial_number = json_array_to_mv(json_keys(all_results)) | mvexpand serial_number | eval all_results = json_extract(all_results, serial_number) | spath input=all_results | fields - all_results | rename data{} as data | eval data = mvjoin(data, ",")</LI-CODE><P>&nbsp;</P><P>You data gives</P><TABLE><TBODY><TR><TD>location</TD><TD>data</TD><TD>result</TD><TD>serial_number</TD><TD>version</TD></TR><TR><TD>US</TD><TD>data1,data2,data3</TD><TD>PASS</TD><TD>serial_a</TD><TD>123</TD></TR><TR><TD>US</TD><TD>data4,data5</TD><TD>PASS</TD><TD>serial_b</TD><TD>456</TD></TR><TR><TD>US</TD><TD>data6,data7</TD><TD>FAIL</TD><TD>serial_c</TD><TD>789</TD></TR></TBODY></TABLE><P>This is an emulation for you to play around and compare with real data</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw = "{ \"location\": \"US\", \"all_results\": { \"serial_a\": { \"result\": \"PASS\", \"version\": \"123\", \"data\":[ \"data1\", \"data2\", \"data3\" ] }, \"serial_b\": { \"result\": \"PASS\", \"version\": \"456\", \"data\":[ \"data4\", \"data5\" ] }, \"serial_c\": { \"result\": \"FAIL\", \"version\": \"789\", \"data\":[ \"data6\", \"data7\" ] } } }" | spath ``` data emulation above ```</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Jul 2024 06:16:58 GMT https://community.splunk.com/t5/Splunk-Search/Grab-json-value-with-dynamic-key-from-splunk/m-p/692968#M235844 yuanliu 2024-07-11T06:16:58Z