Dashboards & Visualizations

How to convert a nested json into table?

anooshac
Communicator

Hi all, i have a json file like this

 

 

{
	"NUM": "#7",
	"TIME": "May 23, 2022, 09:24:40 PM",
	"STATUS": "SUCCESS",
	"DURATION": "2 hours, 13 minutes",
	"URL": "abc.com",
	"COMPONENTS": [{
			"NAME": "abc",
			"Tasks": [{
				"ITEM": [{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						WORKITEM_ID": "2782508",
						"FILE": "file2"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file3"
					}
				]

			}]
		},
		{
			"NAME": "xyz",
			"tasks": [{
				"ITEM": [{
					"ITEM_ID": "2811478",
					"FILE": "file2"
				}]

			}]
		}
	]
}

 

 

how can i create a table with columns "num time status duration component_name itemid file". How can i make all the values come in different rows not together.

Labels (2)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
| table NAME ITEM_ID FILE

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
0 Karma

anooshac
Communicator

 tried this and im not getting a table, only events are showing.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please try something like this:

<your_search>
| spath
| table NUM TIME STATUS DURATION COMPONENTS{}.NAME COMPONENTS{}.NAME.TASK{}.ITEMID COMPONENTS.NAME.TASK{}.FILE

I'm not sure about the last three field names, please check them.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

HI @gcusello ,This gives data in a single row. I want the data in different rows.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac ,

you asked for a table, this is a table, could you give a sample of the report youìd like?

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

Hi @gcusello , this is how the resutls should come. And also i have individual JSON file for each "NUM" .

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example demonstrating it work (with corrections to your supplied data)

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"WORKITEM_ID\": \"2782508\",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"Tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
0 Karma

anooshac
Communicator

2023-06-08_14h01_46.png

 

 

@ITWhispererthere are individual file for all the "NUM". Will that be a problem for this?

I am getting as no results found. Only events are shown.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the search that is giving you these results?

0 Karma

anooshac
Communicator

@ITWhisperer,The same search which yo have provided gives me this results.

 

the desired output should be , sorry for not mentioning clearly.

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The solution relies on the _raw field holding the JSON string (as shown on the runanywhere example).

The most likely reason for the solution not giving the expected result is that the _raw is not in JSON format, or, there is a mistake in the JSON (as there was in your pasted example).

Please can you share your actual raw events (with sensitive data obfuscated of course) in a code block </> as you did originally?

0 Karma

anooshac
Communicator

hi @ITWhisperer 

{
	"NUM": "#7",
	"TIME": "May 23, 2022, 09:24:40 PM",
	"STATUS": "SUCCESS",
	"DURATION": "2 hours, 13 minutes",
	"URL": "abc.com",
	"COMPONENTS": [{
			"NAME": "abc",
			"Tasks": [{
				"ITEM": [{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID ": "2782508 ",
						"FILE": "file2"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file3"
					}
				]

			}]
		},
		{
			"NAME": "xyz",
			"tasks": [{
				"ITEM": [{
					"ITEM_ID": "2811478",
					"FILE": "file2"
				}]

			}]
		}
	]
}

this is the correct JSON file and the table required is,

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2

and also i have individual JSON file for "NUM".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is a runanywhere example based on your "correct" JSON

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID \": \"2782508 \",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw

However, I assume that there are a couple of typos, e.g. tasks should be Tasks and there shouldn't be a space after one of the ITEM_ID field names.

Having corrected these, gives this runanywhere example

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508 \",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"Tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw

Which gives this result

ITWhisperer_0-1686220316723.png

 

anooshac
Communicator

@ITWhisperer, Thank you so much it is working..

I was also creating another table for the data,

NAMEITEM_IDFILE
abc2782508file1
abc2782508file2
abc2782508file1
abc2782508file3
xyz2811478file2

using the below query,

myindex...| mvexpand COMPONENTS{}.NAME
|mvexpand COMPONENTS{}.Tasks{}.ITEM{}
|rename COMPONENTS{}.NAMEas NAME COMPONENTS{}.Tasks{}.ITEM{}.ITEM_ID as ITEM_ID COMPONENTS{}.Tasks{}.ITEM{}.FILE as FILE | eval x=mvzip(ITEM_ID,FILE)|mvexpand x| eval ITEM_ID=mvindex(split(x,","),0)| eval FILE=mvindex(split(x,","),1)
| table NAME, ITEM_ID FILE

instead of 5 entries i am getting 10 entries. I am not sure what is the mistake here. Can you please tell if there is any?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By mvexpand NAME, you have doubled your events, when you mvexpand x, you get 5 times the events. 2 * 5 = 10

If you have something that is working, why are you trying to break it?

0 Karma

anooshac
Communicator

@ITWhisperer, But if i don't do that the table comes as empty. Is there any other way to do this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
| table NAME ITEM_ID FILE

anooshac
Communicator

Thank you so much @ITWhisperer , It is working.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If this solution doesn't give you the output you were expecting. please show us what the desired output should look like.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...