Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract out a nested key and its values from a JSON object where the key names are dynamic?

splunk_dev
Explorer
‎01-30-2024 04:08 AM

Hi , 

 

I have a JSON object of following type :

 
{
 "time": "14040404.550055",
"Food_24ww": {
     "Grains" : {
              "status" : "OK",
             "report": {
                  "2014": {
                          "type" :"rice",
                          "prod" : "50",
                          "rate"  : "30"
                  },
               "2015": {
                       "type": "pulses",
                       "prod" : "50",
                      "rate"  : "30"
               }
      }
},
   "Beverages" : {
 
        "status": "Good",
       "2014": {
           "type" :"pepsi",
          "prod" : "50",
          "rate"  : "60"
        },
     "2015": {
         "type": "coke",
         "prod" : "55",
         "rate"  : "30"
      }
   }
 }
}

 

I want to extract all the key values inside "report" key for "Grains" and "Beverages".

Means , for Grains , I want 2014 (and key values inside it), 2015 (and key values inside it) , similarly for Beverages.

 

Now the challenge is none of the JSON keys until "reports" are constant. 

The first key "Food_24ww" and the next level "Grains" and "Beverages" are not constant. 

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2024 04:40 AM

What would your expected results look like?

Reply

splunk_dev
Explorer
‎01-30-2024 05:16 AM

Hi ,

It would look as below , for either of Grains or Beverages :

 

Lets say for Beverages 

 

yeartypeprodrate
2014pepsi5060
2015coke5530

 

Similar tabular representation will be applicable for Grains( in a separate table of course). 

 

Hope my answer is clear. 

Please let me know else will try to explain further.

Thanks

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-30-2024 05:39 AM

It's not that easy because you have several independent data points in the same event.

To complicate the case further, you don't even have your "categories" and those datapoints as entries in an array, but instead as separate members of the object (Beverages and Grains and members further down the object). So you can't use the typical "spath and mvexpand" approach because you have nothing to mvexpand and you don't know what to spath by in the first place.

With just one such json, you can indeed transpose the whole event and treat each field as separate event as @ITWhisperer showed. But with more events like this it's gonna get complicated.

instead of transposing you could try to use foreach to "combine" values from separate fields into "composite fields" and then mvexpand and split them into single fields but it's very very ugly and probably not very efficient.

Can't you get your data in some decent format in the first place?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2024 05:32 AM

Assuming a single event, try something like this

| spath
| fields - _raw
| transpose 0 column_name=field
| eval group=mvindex(split(field,"."),1)
| eval year=mvindex(split(field,"."),-2)
| where year=2014 or year=2015
| eval key=mvindex(split(field,"."),-1)
| eval {key}='row 1'
| fields - "row 1" key field
| stats values(*) as * by group year
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...