Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Iterating thru json array

eckythump
Engager
‎12-14-2021 05:40 AM

Hi sorry if this has been asked before, spent lot of time researching but can't find quite the answer.

I have this json logged below, I want to do analysis on the order lines, so need a search to return two lines from my json example.

Order ReferenceDescriptionValue
XXXPAUL35,700
XXXIS GREAT42,000

I've tried a million things, can't get it to work 😞

Thanks in advance

Paul (who isn't actually that great!)

THE JSON

{
  "orderReference": "xxx",
  "orderLine": [
  { 
     "orderLineUserItemDescription": "PAUL",  
     "orderLineUnitPrice": "35700.0",
   }, 
   { 
     "orderLineUserItemDescription": "IS GREAT",
     "orderLineUnitPrice": "42000.0",
   } ]
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

eckythump
Engager
‎12-14-2021 10:28 AM

You  are a genius!  Thank you so much for answering so quickly, works amazingly and learned a lot in this post.

Drinks on me if you ever pass thru Atlanta!

Paul

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 06:54 AM

Alternatively:

 

| makeresults | eval _raw="{
  \"orderReference\": \"xxx\",
  \"orderLine\": [
  { 
     \"orderLineUserItemDescription\": \"PAUL\",  
     \"orderLineUnitPrice\": \"35700.0\"
   }, 
   { 
     \"orderLineUserItemDescription\": \"IS GREAT\",
     \"orderLineUnitPrice\": \"42000.0\"
   }
   ]
}" 


| spath orderLine{} output=orderLine
| mvexpand orderLine
| spath input=orderLine
| spath orderReference
| rename orderReference as "Order Reference", orderLineUnitPrice as Value, orderLineUserItemDescription as Description
| table "Order Reference" Description Value

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2021 06:06 AM

One doesn't iterate through the array.  The array is treated as a single entity so we have to split it into separate events.  Something like this:

| makeresults | eval _raw="{
  \"orderReference\": \"xxx\",
  \"orderLine\": [
  { 
     \"orderLineUserItemDescription\": \"PAUL\",  
     \"orderLineUnitPrice\": \"35700.0\"
   }, 
   { 
     \"orderLineUserItemDescription\": \"IS GREAT\",
     \"orderLineUnitPrice\": \"42000.0\"
   }
   ]
}" | spath
```Everything above just sets up test data```
```Rename the fields for convenience```
| rename orderLine{}.orderLineUserItemDescription as Description, orderLine{}.orderLineUnitPrice as Value
```Match up Description and Value pairs```
| eval DV=mvzip(Description,Value, ";")
```Split the Description/Value pairs into separate events```
| mvexpand DV
```Break the Description/Value pairs apart```
| eval DV=split(DV,";")
| eval Description = mvindex(DV,0), Value=mvindex(DV, 1)
```Display the results```
| table orderReference Description Value
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

eckythump
Engager
‎12-14-2021 10:28 AM

You  are a genius!  Thank you so much for answering so quickly, works amazingly and learned a lot in this post.

Drinks on me if you ever pass thru Atlanta!

Paul

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...