Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I write a search query for a hierachial JSON?

kjubie
New Member
‎08-10-2018 04:34 AM

(I have no experience in Splunk searches)
The question is simple:

I have a JSON like this:

{
    "name": "Testdata",
    "children": [
        {
            "name": "A",
            "children": [
            {
                "name": "A1",   
                "value": 436
            },
            {
                "name": "A2",
                "value": 546
            },
            {
                "name": "A3",
                "value": 223
            },
            {
                "name": "A4",
                "value": 132
            },
            {
                "name": "A5",
                "value": 115
            },
            {
                "name": "A6",
                "value": 96
            }]
        },
        {
            "name": "B",
            "children": [
            {
                "name": "B1",
                "value": 453
            },
            {
                "name": "B2",
                "value": 344
            },
            {
                "name": "B3",
                "value": 35
            },
            {
                "name": "B4",
                "value": 65
            },
            {
                "name": "B5",
                "value": 789
            },
            {
                "name": "B6",
                "value": 648
            },
            {
                "name": "B7",
                "value": 147
            }]
        }
      ]
}

and I want a table like this:

parent    |name   |value
A         |A1     | 436
A         |A2     | 546
...       |..     |..
B         |B1     |443

(Sorry for the bad drawn table)

Thanks for the answers!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-10-2018 06:52 AM

Use spath to parse the json. Here is an example

| makeresults |eval json="{
     \"name\": \"Testdata\",
     \"children\": [
         {
             \"name\": \"A\",
             \"children\": [
             {
                 \"name\": \"A1\",    
                 \"value\": 436
             },
             {
                 \"name\": \"A2\",
                 \"value\": 546
             },
             {
                 \"name\": \"A3\",
                 \"value\": 223
             },
             {
                 \"name\": \"A4\",
                 \"value\": 132
             },
             {
                 \"name\": \"A5\",
                 \"value\": 115
             },
             {
                 \"name\": \"A6\",
                 \"value\": 96
             }]
         },
         {
             \"name\": \"B\",
             \"children\": [
             {
                 \"name\": \"B1\",
                 \"value\": 453
             },
             {
                 \"name\": \"B2\",
                 \"value\": 344
             },
             {
                 \"name\": \"B3\",
                 \"value\": 35
             },
             {
                 \"name\": \"B4\",
                 \"value\": 65
             },
             {
                 \"name\": \"B5\",
                 \"value\": 789
             },
             {
                 \"name\": \"B6\",
                 \"value\": 648
             },
             {
                 \"name\": \"B7\",
                 \"value\": 147
             }]
         }
       ]
 }"
 |spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
 |rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
 |eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
 |mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
 |table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-10-2018 06:52 AM

Use spath to parse the json. Here is an example

| makeresults |eval json="{
     \"name\": \"Testdata\",
     \"children\": [
         {
             \"name\": \"A\",
             \"children\": [
             {
                 \"name\": \"A1\",    
                 \"value\": 436
             },
             {
                 \"name\": \"A2\",
                 \"value\": 546
             },
             {
                 \"name\": \"A3\",
                 \"value\": 223
             },
             {
                 \"name\": \"A4\",
                 \"value\": 132
             },
             {
                 \"name\": \"A5\",
                 \"value\": 115
             },
             {
                 \"name\": \"A6\",
                 \"value\": 96
             }]
         },
         {
             \"name\": \"B\",
             \"children\": [
             {
                 \"name\": \"B1\",
                 \"value\": 453
             },
             {
                 \"name\": \"B2\",
                 \"value\": 344
             },
             {
                 \"name\": \"B3\",
                 \"value\": 35
             },
             {
                 \"name\": \"B4\",
                 \"value\": 65
             },
             {
                 \"name\": \"B5\",
                 \"value\": 789
             },
             {
                 \"name\": \"B6\",
                 \"value\": 648
             },
             {
                 \"name\": \"B7\",
                 \"value\": 147
             }]
         }
       ]
 }"
 |spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
 |rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
 |eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
 |mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
 |table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2018 10:36 PM

Converted this to an answer because it answers the question with an excellent run-anywhere example.

Reply
Solved! Jump to solution

kjubie
New Member
‎08-13-2018 12:08 AM

Thanks for your help! Works perfectly!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-10-2018 10:46 PM

Thanks @DalJeanis !

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...