topic Visualize JSON array of array in Splunk Search

Visualize JSON array of array

faustf — Tue, 12 Sep 2017 11:55:43 GMT

Hi guys,

I would like to convert the following event into a table:

{
   Id: 1505207351   
   Start: 1505207651    
   Resource: res    
   Nodes: [ 
            [ res1, 1 ] , [ res2, 3 ]   
       ]    
}

The output should be a table like this:

 Id        |    Start   | Nodes
1505207351 | 1505207651 | [res1,1] , [res2,3]

Or even better, display a subtable in the Nodes column:

 Id        |    Start   |    Nodes
           |            | Res | Rank
-------------------------------------
1505207351 | 1505207651 | res1 | 1 
                        | res2 | 3
------------------------------------
2305207351 | 2305207651 | res3 | 4 
                        | res4 | 3

The event sourcetype is _json
My actual query to search the events is this:

index="myindex" | spath | table Id, Start, Nodes

The result is a table but the Nodes column is empty

Thanks

Re: Visualize JSON array of array

somesoni2 — Tue, 12 Sep 2017 13:59:29 GMT

Try this

index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes

Re: Visualize JSON array of array

faustf — Tue, 12 Sep 2017 15:01:54 GMT

Great it worked.
Is it difficult (or is it possible) to implement the subtable?

Re: Visualize JSON array of array

somesoni2 — Tue, 12 Sep 2017 15:36:18 GMT

It will be difficult. Firstly, the dual level columns are not possible (SPlunk doesn't support merged columns like you see in excel), but you you would be able to do some workaround. How does the data looks in the columns Nodes after the queries? Can you post some actual sample values (mask anything that is sensitive)? Conversion of that to the subtable format (converting NOdes to multivalued field) will depend on it current format. May be run this and tell actual values on both Nodes and NodesCount column.

index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | eval NodesCount=mvcount(Nodes)

Re: Visualize JSON array of array

faustf — Tue, 12 Sep 2017 15:48:31 GMT

This is my current result: link text

Re: Visualize JSON array of array

somesoni2 — Tue, 12 Sep 2017 16:21:42 GMT

Give this a try

 index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | rex field=Nodes max_match=0 "(?<Nodes_Res>\S+)\s+(?<Nodes_Rank>\d+)" 
|  table Id, Start, Nodes_Res Nodes_Rank