Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Display nested JSON as table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Display nested JSON as table
I am trying to implement system package tracking in Splunk using Ansible facts collections but I am having some difficulties reading message received.
The message received is:
{ [-]
@timestamp: 2018-11-06T22:07:46.062Z
ansible_facts: { [+]
}
ansible_facts_modified: 2018-11-06T22:07:46.027218+00:00
cluster_host_id: awx
host: awx
host_name: 192.168.1.120
inventory_id: 2
job_id: 48
level: INFO
logger_name: awx.analytics.system_tracking
message: New fact for inventory Local host 192.168.1.120
tower_uuid:
type: splunk
}
Most of the information I need is inside the ansible_facts block and I am able to get most of them except 2 areas which have a different structure. The structure is the same for both of those.
{
"ansible_facts": {
"packages": {
"libbz2-1.0": [{
"version": "1.0.6-5",
"source": "apt",
"arch": "amd64",
"name": "libbz2-1.0"
}],
"patch": [{
"version": "2.7.1-4ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "patch"
}],
"gcc-4.8-base": [{
"version": "4.8.2-19ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "gcc-4.8-base"
}
]
}
}
}
Further down, i would like to print any changes of package version through time but at this stage I am trying to print the list of packages and their corresponding versions in table.
I tried the following search, but it's not returning any results.
spath input=_raw | rename ansible_facts.packages{}.* as *
| eval values=mvzip(mvzip(mvzip(name,version),release),arch)
| mvexpand values| eval values = split(values,",")
| eval name=mvindex(values,0)|eval version=mvindex(values,1) |eval release=mvindex(values,2)|eval arch=mvindex(values,3)
| table name version release arch
Any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@theiamdude, except for the ansible_facts block, rest of the text does not look like properly formatted in json.
What do you get when you run spath? does it show the ansible_facts in the fields section on the left side panel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am able to some of the value in the fields section.
I am able to get other value under ansible_facts block (below is not the entire block):
{
"ansible_facts": {
"ansible_distribution": "OracleLinux",
"ansible_distribution_version": "6.9",
"ansible_architecture": "x86_64",
"ansible_os_family": "RedHat",
"ansible_kernel": "3.8.13-118.21.4.el6uek.x86_64",
"facter_processorcount": 2,
"facter_memorysize": "7.80 GB",
"facter_uptime": "34 days",
"ansible_bios_version": "4.4.4OVM",
"ansible_bios_date": "04/18/2018",
"ansible_hostname": "localhost",
"ansible_pkg_mgr": "yum",
"ansible_user_id": "testapp",
"packages": {
"libbz2-1.0": [{
"version": "1.0.6-5",
"source": "apt",
"arch": "amd64",
"name": "libbz2-1.0"
}],
"patch": [{
"version": "2.7.1-4ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "patch"
}],
"gcc-4.8-base": [{
"version": "4.8.2-19ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "gcc-4.8-base"
}
]
},
"services": {
"blk-availability": {
"source": "sysv",
"state": "running",
"name": "blk-availability"
},
"lvm2-lvmetad": {
"source": "sysv",
"state": "running",
"name": "lvm2-lvmetad"
},
"acpid": {
"source": "sysv",
"state": "running",
"name": "acpid"
}
}
}
}
When I run the following search I am able to get it in a table:
index=dev__inf source=AWX_source | spath logger_name | search logger_name="awx.analytics.system_tracking"
| spath input=_raw path="ansible_facts.ansible_distribution" output=linux_distribution
| spath input=_raw path="ansible_facts.ansible_distribution_version" output=distribution_version
| spath input=_raw path="ansible_facts.ansible_architecture" output=architecture
| spath input=_raw path="ansible_facts.ansible_os_family" output=os_family
| spath input=_raw path="ansible_facts.ansible_kernel" output=kernel
| spath input=_raw path="ansible_facts.facter_processorcount" output=processorcount
| spath input=_raw path="ansible_facts.facter_memorysize" output=memorysize
| spath input=_raw path="ansible_facts.ansible_bios_version" output=bios_version
| spath input=_raw path="ansible_facts.ansible_bios_date" output=bios_date
| spath input=_raw path="ansible_facts.ansible_hostname" output=hostname
| spath input=_raw path="ansible_facts.ansible_pkg_mgr" output=pkg_mgr
| spath input=_raw path="ansible_facts.ansible_user_id" output=user_id
| table hostname user_id architecture os_family linux_distribution distribution_version kernel pkg_mgr bios_version bios_date processorcount memorysize
| hostname | user_id | architecture | os_family | linux_distribution | distribution_version | kernel | pkg_mgr | bios_version | bios_date | processorcount | memorysize |
|---|---|---|---|---|---|---|---|---|---|---|---|
| localhost | testapp | x86_64 | RedHat | OracleLinux | 6.9 | 3.8.13 | yum | 4.4.4OVM | 04/18/2018 | 2 | 7.80 GB |
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
