Dashboards & Visualizations

what is the alternative command to use for mvzip?

anooshac
Communicator

Hi All, i am using mvzip while working with JSON file. Now in the new Splunk dashboards seems like mvzip command is depricated. Is there any way to extract values from nested JSON apart from mvzip?

Labels (3)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean by "seems like mvzip command is depricated"? Are you getting an error message? How are you trying to use it?

If you don't want to or can't use the mvzip command, a replacement would depend on what it is you are trying to do. Please can you expand on your usecase, with sample events, a description (in non-SPL terms) of what you are trying to achieve, and a representation of your desired output.

0 Karma

anooshac
Communicator

 

 

 ResourceInfo: {
     ID: "58",
     User: "abc",
     NVM: { 
       a: "522523632",
       b: "80000000",
       c: "442523632",
       d: "14",
       .
       .

     },
     RAM: { [+]
     },
     ROM: { [+]
     }
     }

 

 

 

and for RAM ROM and NVM i want to get the specific data inside them.

component   Value

a                      522523632
b                      80000000
c                      442523632
d                        14        

.

.

.

I want to form a table like this for RAM ROM and NVM. And i do it like this. But sometimes i get a error message like field tmp does not exist, even there is data. So i want to avoid mvzip and get this data in some other way. is there way present to deal with JSON data?

 

 

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| eval tmp = mvzip(component,Value) 
| mvexpand tmp 
| eval component=mvindex(split(tmp,","),0) 
| eval Value=mvindex(split(tmp,","),1)
|table component Value

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try it this way around

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<tmp>[^\"]+\":[\d\.]+)"
| mvexpand tmp 
| rex field=tmp "(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| table component Value
0 Karma

anooshac
Communicator

This solution is working and im not seeing any warning message now.

How is this different from mvzip?

May i know why mvzip gives warning if the data is empty?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps if you can isolate the event or events which are generating the error, you might be able to determine this. However, my guess is that sometimes you end up with one or more nulls from the rex and this is what mvzip doesn't like.

Doing it this way around avoids using mvzip because the mvexpand is done before the fields are split up so the association across the row is maintained and doesn't need to be rebuilt with the mvzip

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...