Dashboards & Visualizations

How to convert a nested json into table?

anooshac
Communicator

Hi all, i have a json file like this

 

 

{
	"NUM": "#7",
	"TIME": "May 23, 2022, 09:24:40 PM",
	"STATUS": "SUCCESS",
	"DURATION": "2 hours, 13 minutes",
	"URL": "abc.com",
	"COMPONENTS": [{
			"NAME": "abc",
			"Tasks": [{
				"ITEM": [{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						WORKITEM_ID": "2782508",
						"FILE": "file2"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file3"
					}
				]

			}]
		},
		{
			"NAME": "xyz",
			"tasks": [{
				"ITEM": [{
					"ITEM_ID": "2811478",
					"FILE": "file2"
				}]

			}]
		}
	]
}

 

 

how can i create a table with columns "num time status duration component_name itemid file". How can i make all the values come in different rows not together.

Labels (2)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
| table NAME ITEM_ID FILE

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
0 Karma

anooshac
Communicator

 tried this and im not getting a table, only events are showing.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac,

please try something like this:

<your_search>
| spath
| table NUM TIME STATUS DURATION COMPONENTS{}.NAME COMPONENTS{}.NAME.TASK{}.ITEMID COMPONENTS.NAME.TASK{}.FILE

I'm not sure about the last three field names, please check them.

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

HI @gcusello ,This gives data in a single row. I want the data in different rows.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anooshac ,

you asked for a table, this is a table, could you give a sample of the report youìd like?

Ciao.

Giuseppe

0 Karma

anooshac
Communicator

Hi @gcusello , this is how the resutls should come. And also i have individual JSON file for each "NUM" .

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example demonstrating it work (with corrections to your supplied data)

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"WORKITEM_ID\": \"2782508\",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"Tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
0 Karma

anooshac
Communicator

2023-06-08_14h01_46.png

 

 

@ITWhispererthere are individual file for all the "NUM". Will that be a problem for this?

I am getting as no results found. Only events are shown.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the search that is giving you these results?

0 Karma

anooshac
Communicator

@ITWhisperer,The same search which yo have provided gives me this results.

 

the desired output should be , sorry for not mentioning clearly.

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The solution relies on the _raw field holding the JSON string (as shown on the runanywhere example).

The most likely reason for the solution not giving the expected result is that the _raw is not in JSON format, or, there is a mistake in the JSON (as there was in your pasted example).

Please can you share your actual raw events (with sensitive data obfuscated of course) in a code block </> as you did originally?

0 Karma

anooshac
Communicator

hi @ITWhisperer 

{
	"NUM": "#7",
	"TIME": "May 23, 2022, 09:24:40 PM",
	"STATUS": "SUCCESS",
	"DURATION": "2 hours, 13 minutes",
	"URL": "abc.com",
	"COMPONENTS": [{
			"NAME": "abc",
			"Tasks": [{
				"ITEM": [{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID ": "2782508 ",
						"FILE": "file2"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file1"
					},
					{
						"ITEM_ID": "2782508",
						"FILE": "file3"
					}
				]

			}]
		},
		{
			"NAME": "xyz",
			"tasks": [{
				"ITEM": [{
					"ITEM_ID": "2811478",
					"FILE": "file2"
				}]

			}]
		}
	]
}

this is the correct JSON file and the table required is,

NUMSTATUSTIMEDURATIONNAMEITEM_IDFILE
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file2
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file1
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesabc2782508file3
#7SUCCESSMay 23, 2022, 09:24:40 PM2 hours, 13 minutesxyz2811478file2

and also i have individual JSON file for "NUM".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is a runanywhere example based on your "correct" JSON

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID \": \"2782508 \",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw

However, I assume that there are a couple of typos, e.g. tasks should be Tasks and there shouldn't be a space after one of the ITEM_ID field names.

Having corrected these, gives this runanywhere example

| makeresults
| fields - _time
| eval _raw="{
	\"NUM\": \"#7\",
	\"TIME\": \"May 23, 2022, 09:24:40 PM\",
	\"STATUS\": \"SUCCESS\",
	\"DURATION\": \"2 hours, 13 minutes\",
	\"URL\": \"abc.com\",
	\"COMPONENTS\": [{
			\"NAME\": \"abc\",
			\"Tasks\": [{
				\"ITEM\": [{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508 \",
						\"FILE\": \"file2\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file1\"
					},
					{
						\"ITEM_ID\": \"2782508\",
						\"FILE\": \"file3\"
					}
				]

			}]
		},
		{
			\"NAME\": \"xyz\",
			\"Tasks\": [{
				\"ITEM\": [{
					\"ITEM_ID\": \"2811478\",
					\"FILE\": \"file2\"
				}]

			}]
		}
	]
}"
| foreach NUM TIME STATUS DURATION
    [| spath <<FIELD>>]
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw

Which gives this result

ITWhisperer_0-1686220316723.png

 

anooshac
Communicator

@ITWhisperer, Thank you so much it is working..

I was also creating another table for the data,

NAMEITEM_IDFILE
abc2782508file1
abc2782508file2
abc2782508file1
abc2782508file3
xyz2811478file2

using the below query,

myindex...| mvexpand COMPONENTS{}.NAME
|mvexpand COMPONENTS{}.Tasks{}.ITEM{}
|rename COMPONENTS{}.NAMEas NAME COMPONENTS{}.Tasks{}.ITEM{}.ITEM_ID as ITEM_ID COMPONENTS{}.Tasks{}.ITEM{}.FILE as FILE | eval x=mvzip(ITEM_ID,FILE)|mvexpand x| eval ITEM_ID=mvindex(split(x,","),0)| eval FILE=mvindex(split(x,","),1)
| table NAME, ITEM_ID FILE

instead of 5 entries i am getting 10 entries. I am not sure what is the mistake here. Can you please tell if there is any?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By mvexpand NAME, you have doubled your events, when you mvexpand x, you get 5 times the events. 2 * 5 = 10

If you have something that is working, why are you trying to break it?

0 Karma

anooshac
Communicator

@ITWhisperer, But if i don't do that the table comes as empty. Is there any other way to do this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| spath COMPONENTS{} output=components
| mvexpand components
| spath input=components NAME
| spath input=components Tasks{}.ITEM{} output=items
| mvexpand items
| spath input=items
| fields - components items _raw
| table NAME ITEM_ID FILE

anooshac
Communicator

Thank you so much @ITWhisperer , It is working.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If this solution doesn't give you the output you were expecting. please show us what the desired output should look like.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...