https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275623#M83134 <P>Thanks for your help. I was finally able to accomplish this using spath &amp; mvexpand. In case someone else needs this in the future, my search is now:</P> <PRE><CODE>index=foo | spath path=systems{} output=x | fields - _raw | fields upTime, type, id, x | mvexpand x | spath input=x | rename admins{} as admins | mvexpand admins | stats count as Count by type, admins </CODE></PRE> Tue, 09 Feb 2016 17:48:57 GMT lyndac 2016-02-09T17:48:57Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275620#M83131 <P>I am indexing JSON data. I need to be able to do stats based "by patches" and "by admin". I can't get spath or mvexpand to extract the nested arrays properly. Can anyone help me to figure this out? </P> <P>My props.conf looks like this:</P> <PRE><CODE>[ my_json ] INDEXED_EXTRACTIONS = json KV_MODE=none MAX_TIMESTAMP_LOOKAHEAD=30 NO_BINARY_CHECK=true TIMESTAMP_FIELDS=upTime TIME_FORMAT=%Y-%m-%d %H:%M:%S </CODE></PRE> <P>The data is similar to this:</P> <PRE><CODE>{ "upTime": "2015-02-08 16:43:23", "type": "thetype", "id": "123454829", "systems": [ { "hostname": "host1", "admins": [ "jdoe","lcod", "pamtie"], "os": "linux", "patches": ["1.2", "2.3", "4.3", "5.4"] }, { "hostname": "host2", "admins": [ "barry", "patty"], "os": "linux", "patches": ["2.3", "5.4"] } ] } </CODE></PRE> Mon, 08 Feb 2016 20:58:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275620#M83131 lyndac 2016-02-08T20:58:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275621#M83132 <P>This kind of data is a pain to work with because it requires the uses of mv commands. to extract what you want you need first zip the data you want to pull out. </P> <PRE><CODE>…| rename systems{}.hostname as hostname, rename systems{}.patches as patches | eval a mvzip(hostname,patches, "|") | fields _time a | mvexpand a | rex field=a "(?&lt;hostname&gt;[^\|]+)\|(?&lt;patches&gt;[^\|]+)" </CODE></PRE> <P>If you need to expand patches just append mvexpand patches to the end.</P> <P>I use this method to to extract multilevel deep fields with multiple values. It does a the limitation of only able to extract two multi valued fields from the data and get very slow with large data sets.</P> Mon, 08 Feb 2016 22:33:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275621#M83132 bmacias84 2016-02-08T22:33:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275622#M83133 <P>Your sample data doesn't look like in proper json format (some keys are not in double quotes) and that should be the reason spath (in search) and <CODE>INDEXED_EXTRACTIONS = json</CODE> in props.conf is not recognizing array. Check the syntax here <A href="http://pro.jsonlint.com/">http://pro.jsonlint.com/</A></P> Mon, 08 Feb 2016 22:38:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275622#M83133 somesoni2 2016-02-08T22:38:13Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275623#M83134 <P>Thanks for your help. I was finally able to accomplish this using spath &amp; mvexpand. In case someone else needs this in the future, my search is now:</P> <PRE><CODE>index=foo | spath path=systems{} output=x | fields - _raw | fields upTime, type, id, x | mvexpand x | spath input=x | rename admins{} as admins | mvexpand admins | stats count as Count by type, admins </CODE></PRE> Tue, 09 Feb 2016 17:48:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-Splunk-to-extract-nested-JSON-arrays-properly/m-p/275623#M83134 lyndac 2016-02-09T17:48:57Z