Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display nested JSON as table

theiamdude
New Member
‎11-13-2018 09:41 PM

I am trying to implement system package tracking in Splunk using Ansible facts collections but I am having some difficulties reading message received.

The message received is:

    {   [-] 
         @timestamp:     2018-11-06T22:07:46.062Z   
         ansible_facts: {   [+] 
        }   
         ansible_facts_modified:     2018-11-06T22:07:46.027218+00:00   
         cluster_host_id:    awx    
         host:   awx    
         host_name:  192.168.1.120  
         inventory_id:   2  
         job_id:     48 
         level:  INFO   
         logger_name:    awx.analytics.system_tracking  
         message:    New fact for inventory Local host 192.168.1.120    
         tower_uuid:    
         type:   splunk 
    }

Most of the information I need is inside the ansible_facts block and I am able to get most of them except 2 areas which have a different structure. The structure is the same for both of those.

{
    "ansible_facts": {
        "packages": {
            "libbz2-1.0": [{
                "version": "1.0.6-5",
                "source": "apt",
                "arch": "amd64",
                "name": "libbz2-1.0"
            }],
            "patch": [{
                "version": "2.7.1-4ubuntu1",
                "source": "apt",
                "arch": "amd64",
                "name": "patch"
            }],
            "gcc-4.8-base": [{
                    "version": "4.8.2-19ubuntu1",
                    "source": "apt",
                    "arch": "amd64",
                    "name": "gcc-4.8-base"
                }
            ]
        }
    }
}

Further down, i would like to print any changes of package version through time but at this stage I am trying to print the list of packages and their corresponding versions in table.

I tried the following search, but it's not returning any results.

spath input=_raw | rename ansible_facts.packages{}.* as *
 | eval values=mvzip(mvzip(mvzip(name,version),release),arch)
 | mvexpand values| eval values = split(values,",")
 | eval name=mvindex(values,0)|eval version=mvindex(values,1) |eval release=mvindex(values,2)|eval arch=mvindex(values,3)
 | table name version release arch

Any help would be greatly appreciated.

0 Karma
Reply

pramit46
Contributor
‎11-14-2018 04:41 AM

@theiamdude, except for the ansible_facts block, rest of the text does not look like properly formatted in json.
What do you get when you run spath? does it show the ansible_facts in the fields section on the left side panel?

0 Karma
Reply

theiamdude
New Member
‎11-14-2018 04:25 PM

I am able to some of the value in the fields section.

I am able to get other value under ansible_facts block (below is not the entire block):
{
"ansible_facts": {
"ansible_distribution": "OracleLinux",
"ansible_distribution_version": "6.9",
"ansible_architecture": "x86_64",
"ansible_os_family": "RedHat",
"ansible_kernel": "3.8.13-118.21.4.el6uek.x86_64",
"facter_processorcount": 2,
"facter_memorysize": "7.80 GB",
"facter_uptime": "34 days",
"ansible_bios_version": "4.4.4OVM",
"ansible_bios_date": "04/18/2018",
"ansible_hostname": "localhost",
"ansible_pkg_mgr": "yum",
"ansible_user_id": "testapp",
"packages": {
"libbz2-1.0": [{
"version": "1.0.6-5",
"source": "apt",
"arch": "amd64",
"name": "libbz2-1.0"
}],
"patch": [{
"version": "2.7.1-4ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "patch"
}],
"gcc-4.8-base": [{
"version": "4.8.2-19ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "gcc-4.8-base"
}
]
},
"services": {
"blk-availability": {
"source": "sysv",
"state": "running",
"name": "blk-availability"
},
"lvm2-lvmetad": {
"source": "sysv",
"state": "running",
"name": "lvm2-lvmetad"
},
"acpid": {
"source": "sysv",
"state": "running",
"name": "acpid"
}
}
}
}

When I run the following search I am able to get it in a table:
index=dev__inf source=AWX_source | spath logger_name | search logger_name="awx.analytics.system_tracking"
| spath input=_raw path="ansible_facts.ansible_distribution" output=linux_distribution
| spath input=_raw path="ansible_facts.ansible_distribution_version" output=distribution_version
| spath input=_raw path="ansible_facts.ansible_architecture" output=architecture
| spath input=_raw path="ansible_facts.ansible_os_family" output=os_family
| spath input=_raw path="ansible_facts.ansible_kernel" output=kernel
| spath input=_raw path="ansible_facts.facter_processorcount" output=processorcount
| spath input=_raw path="ansible_facts.facter_memorysize" output=memorysize
| spath input=_raw path="ansible_facts.ansible_bios_version" output=bios_version
| spath input=_raw path="ansible_facts.ansible_bios_date" output=bios_date
| spath input=_raw path="ansible_facts.ansible_hostname" output=hostname
| spath input=_raw path="ansible_facts.ansible_pkg_mgr" output=pkg_mgr
| spath input=_raw path="ansible_facts.ansible_user_id" output=user_id
| table hostname user_id architecture os_family linux_distribution distribution_version kernel pkg_mgr bios_version bios_date processorcount memorysize

hostname user_id architecture os_family linux_distribution distribution_version kernel pkg_mgr bios_version bios_date processorcount memorysize
localhost testapp x86_64 RedHat OracleLinux 6.9 3.8.13 yum 4.4.4OVM 04/18/2018 2 7.80 GB
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...