Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I write a search query for a hierachial JSO...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kjubie
New Member
08-10-2018
04:34 AM
(I have no experience in Splunk searches)
The question is simple:
I have a JSON like this:
{
"name": "Testdata",
"children": [
{
"name": "A",
"children": [
{
"name": "A1",
"value": 436
},
{
"name": "A2",
"value": 546
},
{
"name": "A3",
"value": 223
},
{
"name": "A4",
"value": 132
},
{
"name": "A5",
"value": 115
},
{
"name": "A6",
"value": 96
}]
},
{
"name": "B",
"children": [
{
"name": "B1",
"value": 453
},
{
"name": "B2",
"value": 344
},
{
"name": "B3",
"value": 35
},
{
"name": "B4",
"value": 65
},
{
"name": "B5",
"value": 789
},
{
"name": "B6",
"value": 648
},
{
"name": "B7",
"value": 147
}]
}
]
}
and I want a table like this:
parent |name |value
A |A1 | 436
A |A2 | 546
... |.. |..
B |B1 |443
(Sorry for the bad drawn table)
Thanks for the answers!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-10-2018
06:52 AM
Use spath to parse the json. Here is an example
| makeresults |eval json="{
\"name\": \"Testdata\",
\"children\": [
{
\"name\": \"A\",
\"children\": [
{
\"name\": \"A1\",
\"value\": 436
},
{
\"name\": \"A2\",
\"value\": 546
},
{
\"name\": \"A3\",
\"value\": 223
},
{
\"name\": \"A4\",
\"value\": 132
},
{
\"name\": \"A5\",
\"value\": 115
},
{
\"name\": \"A6\",
\"value\": 96
}]
},
{
\"name\": \"B\",
\"children\": [
{
\"name\": \"B1\",
\"value\": 453
},
{
\"name\": \"B2\",
\"value\": 344
},
{
\"name\": \"B3\",
\"value\": 35
},
{
\"name\": \"B4\",
\"value\": 65
},
{
\"name\": \"B5\",
\"value\": 789
},
{
\"name\": \"B6\",
\"value\": 648
},
{
\"name\": \"B7\",
\"value\": 147
}]
}
]
}"
|spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
|rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
|eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
|mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
|table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-10-2018
06:52 AM
Use spath to parse the json. Here is an example
| makeresults |eval json="{
\"name\": \"Testdata\",
\"children\": [
{
\"name\": \"A\",
\"children\": [
{
\"name\": \"A1\",
\"value\": 436
},
{
\"name\": \"A2\",
\"value\": 546
},
{
\"name\": \"A3\",
\"value\": 223
},
{
\"name\": \"A4\",
\"value\": 132
},
{
\"name\": \"A5\",
\"value\": 115
},
{
\"name\": \"A6\",
\"value\": 96
}]
},
{
\"name\": \"B\",
\"children\": [
{
\"name\": \"B1\",
\"value\": 453
},
{
\"name\": \"B2\",
\"value\": 344
},
{
\"name\": \"B3\",
\"value\": 35
},
{
\"name\": \"B4\",
\"value\": 65
},
{
\"name\": \"B5\",
\"value\": 789
},
{
\"name\": \"B6\",
\"value\": 648
},
{
\"name\": \"B7\",
\"value\": 147
}]
}
]
}"
|spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
|rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
|eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
|mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
|table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
08-10-2018
10:36 PM
Converted this to an answer because it answers the question with an excellent run-anywhere example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kjubie
New Member
08-13-2018
12:08 AM
Thanks for your help! Works perfectly!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-10-2018
10:46 PM
Thanks @DalJeanis !
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
