Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Iterating thru json array

eckythump
Engager
‎12-14-2021 05:40 AM

Hi sorry if this has been asked before, spent lot of time researching but can't find quite the answer.

I have this json logged below, I want to do analysis on the order lines, so need a search to return two lines from my json example.

Order ReferenceDescriptionValue
XXXPAUL35,700
XXXIS GREAT42,000

I've tried a million things, can't get it to work 😞

Thanks in advance

Paul (who isn't actually that great!)

THE JSON

{
  "orderReference": "xxx",
  "orderLine": [
  { 
     "orderLineUserItemDescription": "PAUL",  
     "orderLineUnitPrice": "35700.0",
   }, 
   { 
     "orderLineUserItemDescription": "IS GREAT",
     "orderLineUnitPrice": "42000.0",
   } ]
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

eckythump
Engager
‎12-14-2021 10:28 AM

You  are a genius!  Thank you so much for answering so quickly, works amazingly and learned a lot in this post.

Drinks on me if you ever pass thru Atlanta!

Paul

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 06:54 AM

Alternatively:

 

| makeresults | eval _raw="{
  \"orderReference\": \"xxx\",
  \"orderLine\": [
  { 
     \"orderLineUserItemDescription\": \"PAUL\",  
     \"orderLineUnitPrice\": \"35700.0\"
   }, 
   { 
     \"orderLineUserItemDescription\": \"IS GREAT\",
     \"orderLineUnitPrice\": \"42000.0\"
   }
   ]
}" 


| spath orderLine{} output=orderLine
| mvexpand orderLine
| spath input=orderLine
| spath orderReference
| rename orderReference as "Order Reference", orderLineUnitPrice as Value, orderLineUserItemDescription as Description
| table "Order Reference" Description Value

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2021 06:06 AM

One doesn't iterate through the array.  The array is treated as a single entity so we have to split it into separate events.  Something like this:

| makeresults | eval _raw="{
  \"orderReference\": \"xxx\",
  \"orderLine\": [
  { 
     \"orderLineUserItemDescription\": \"PAUL\",  
     \"orderLineUnitPrice\": \"35700.0\"
   }, 
   { 
     \"orderLineUserItemDescription\": \"IS GREAT\",
     \"orderLineUnitPrice\": \"42000.0\"
   }
   ]
}" | spath
```Everything above just sets up test data```
```Rename the fields for convenience```
| rename orderLine{}.orderLineUserItemDescription as Description, orderLine{}.orderLineUnitPrice as Value
```Match up Description and Value pairs```
| eval DV=mvzip(Description,Value, ";")
```Split the Description/Value pairs into separate events```
| mvexpand DV
```Break the Description/Value pairs apart```
| eval DV=split(DV,";")
| eval Description = mvindex(DV,0), Value=mvindex(DV, 1)
```Display the results```
| table orderReference Description Value
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

eckythump
Engager
‎12-14-2021 10:28 AM

You  are a genius!  Thank you so much for answering so quickly, works amazingly and learned a lot in this post.

Drinks on me if you ever pass thru Atlanta!

Paul

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...