Dashboards & Visualizations

what is the alternative command to use for mvzip?

anooshac
Communicator

Hi All, i am using mvzip while working with JSON file. Now in the new Splunk dashboards seems like mvzip command is depricated. Is there any way to extract values from nested JSON apart from mvzip?

Labels (3)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean by "seems like mvzip command is depricated"? Are you getting an error message? How are you trying to use it?

If you don't want to or can't use the mvzip command, a replacement would depend on what it is you are trying to do. Please can you expand on your usecase, with sample events, a description (in non-SPL terms) of what you are trying to achieve, and a representation of your desired output.

0 Karma

anooshac
Communicator

 

 

 ResourceInfo: {
     ID: "58",
     User: "abc",
     NVM: { 
       a: "522523632",
       b: "80000000",
       c: "442523632",
       d: "14",
       .
       .

     },
     RAM: { [+]
     },
     ROM: { [+]
     }
     }

 

 

 

and for RAM ROM and NVM i want to get the specific data inside them.

component   Value

a                      522523632
b                      80000000
c                      442523632
d                        14        

.

.

.

I want to form a table like this for RAM ROM and NVM. And i do it like this. But sometimes i get a error message like field tmp does not exist, even there is data. So i want to avoid mvzip and get this data in some other way. is there way present to deal with JSON data?

 

 

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| eval tmp = mvzip(component,Value) 
| mvexpand tmp 
| eval component=mvindex(split(tmp,","),0) 
| eval Value=mvindex(split(tmp,","),1)
|table component Value

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try it this way around

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<tmp>[^\"]+\":[\d\.]+)"
| mvexpand tmp 
| rex field=tmp "(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| table component Value
0 Karma

anooshac
Communicator

This solution is working and im not seeing any warning message now.

How is this different from mvzip?

May i know why mvzip gives warning if the data is empty?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps if you can isolate the event or events which are generating the error, you might be able to determine this. However, my guess is that sometimes you end up with one or more nulls from the rex and this is what mvzip doesn't like.

Doing it this way around avoids using mvzip because the mvexpand is done before the fields are split up so the association across the row is maintained and doesn't need to be rebuilt with the mvzip

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...