Getting Data In

Display nested JSON as table

theiamdude
New Member

I am trying to implement system package tracking in Splunk using Ansible facts collections but I am having some difficulties reading message received.

The message received is:

    {   [-] 
         @timestamp:     2018-11-06T22:07:46.062Z   
         ansible_facts: {   [+] 
        }   
         ansible_facts_modified:     2018-11-06T22:07:46.027218+00:00   
         cluster_host_id:    awx    
         host:   awx    
         host_name:  192.168.1.120  
         inventory_id:   2  
         job_id:     48 
         level:  INFO   
         logger_name:    awx.analytics.system_tracking  
         message:    New fact for inventory Local host 192.168.1.120    
         tower_uuid:    
         type:   splunk 
    }

Most of the information I need is inside the ansible_facts block and I am able to get most of them except 2 areas which have a different structure. The structure is the same for both of those.

{
    "ansible_facts": {
        "packages": {
            "libbz2-1.0": [{
                "version": "1.0.6-5",
                "source": "apt",
                "arch": "amd64",
                "name": "libbz2-1.0"
            }],
            "patch": [{
                "version": "2.7.1-4ubuntu1",
                "source": "apt",
                "arch": "amd64",
                "name": "patch"
            }],
            "gcc-4.8-base": [{
                    "version": "4.8.2-19ubuntu1",
                    "source": "apt",
                    "arch": "amd64",
                    "name": "gcc-4.8-base"
                }
            ]
        }
    }
}

Further down, i would like to print any changes of package version through time but at this stage I am trying to print the list of packages and their corresponding versions in table.

I tried the following search, but it's not returning any results.

spath input=_raw | rename ansible_facts.packages{}.* as *
 | eval values=mvzip(mvzip(mvzip(name,version),release),arch)
 | mvexpand values| eval values = split(values,",")
 | eval name=mvindex(values,0)|eval version=mvindex(values,1) |eval release=mvindex(values,2)|eval arch=mvindex(values,3)
 | table name version release arch

Any help would be greatly appreciated.

0 Karma

pramit46
Contributor

@theiamdude, except for the ansible_facts block, rest of the text does not look like properly formatted in json.
What do you get when you run spath? does it show the ansible_facts in the fields section on the left side panel?

0 Karma

theiamdude
New Member

I am able to some of the value in the fields section.

I am able to get other value under ansible_facts block (below is not the entire block):
{
"ansible_facts": {
"ansible_distribution": "OracleLinux",
"ansible_distribution_version": "6.9",
"ansible_architecture": "x86_64",
"ansible_os_family": "RedHat",
"ansible_kernel": "3.8.13-118.21.4.el6uek.x86_64",
"facter_processorcount": 2,
"facter_memorysize": "7.80 GB",
"facter_uptime": "34 days",
"ansible_bios_version": "4.4.4OVM",
"ansible_bios_date": "04/18/2018",
"ansible_hostname": "localhost",
"ansible_pkg_mgr": "yum",
"ansible_user_id": "testapp",
"packages": {
"libbz2-1.0": [{
"version": "1.0.6-5",
"source": "apt",
"arch": "amd64",
"name": "libbz2-1.0"
}],
"patch": [{
"version": "2.7.1-4ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "patch"
}],
"gcc-4.8-base": [{
"version": "4.8.2-19ubuntu1",
"source": "apt",
"arch": "amd64",
"name": "gcc-4.8-base"
}
]
},
"services": {
"blk-availability": {
"source": "sysv",
"state": "running",
"name": "blk-availability"
},
"lvm2-lvmetad": {
"source": "sysv",
"state": "running",
"name": "lvm2-lvmetad"
},
"acpid": {
"source": "sysv",
"state": "running",
"name": "acpid"
}
}
}
}

When I run the following search I am able to get it in a table:
index=dev__inf source=AWX_source | spath logger_name | search logger_name="awx.analytics.system_tracking"
| spath input=_raw path="ansible_facts.ansible_distribution" output=linux_distribution
| spath input=_raw path="ansible_facts.ansible_distribution_version" output=distribution_version
| spath input=_raw path="ansible_facts.ansible_architecture" output=architecture
| spath input=_raw path="ansible_facts.ansible_os_family" output=os_family
| spath input=_raw path="ansible_facts.ansible_kernel" output=kernel
| spath input=_raw path="ansible_facts.facter_processorcount" output=processorcount
| spath input=_raw path="ansible_facts.facter_memorysize" output=memorysize
| spath input=_raw path="ansible_facts.ansible_bios_version" output=bios_version
| spath input=_raw path="ansible_facts.ansible_bios_date" output=bios_date
| spath input=_raw path="ansible_facts.ansible_hostname" output=hostname
| spath input=_raw path="ansible_facts.ansible_pkg_mgr" output=pkg_mgr
| spath input=_raw path="ansible_facts.ansible_user_id" output=user_id
| table hostname user_id architecture os_family linux_distribution distribution_version kernel pkg_mgr bios_version bios_date processorcount memorysize

hostname user_id architecture os_family linux_distribution distribution_version kernel pkg_mgr bios_version bios_date processorcount memorysize
localhost testapp x86_64 RedHat OracleLinux 6.9 3.8.13 yum 4.4.4OVM 04/18/2018 2 7.80 GB
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...