Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert JSON array of Key/Value pairs to Column/Value?

mlevsh
Builder
‎05-19-2019 11:47 AM

Lets say we have Json data in the following format ( using 2 events as an example)

Event 1)

Time    Event 5/19/19 2:26:06.730 PM    
{ [-] 
   account_id: 1234567890 
   created_time: 2019-05-16T15:00:45.000Z 
   region: us-1
   tags: [ [-] 
     { [-] 
       Key: environment 
       Value: env1 
     } 
     { [-] 
       Key: data_class 
       Value: Class1 
     } 
     { [-] 
       Key: built_by 
       Value: group1
     } 
     { [-] 
       Key: description 
       Value: anything 
     } 
     { [-] 
       Key: application_id 
       Value: abc 
     } 
}

Event 2: 

5/19/19 2:26:06.620 PM  
{ [-] 
   account_id: 1234567891 
   created_time: 2019-05-13T21:31:02.710Z 
   region: us-1 
   tags: [ [-] 
     { [-] 
       Key: environment 
       Value: env2 
     } 
     { [-] 
       Key: data_class 
       Value: Class1 
     } 
     { [-] 
       Key: built_by 
       Value: group1
     } 
     { [-] 
       Key: description 
       Value: anything 
     } 
     { [-] 
       Key: application_id 
       Value: def 
     } 
   ]

The objective to display it in the following format: each Key in Key/Value pair needs to be a Column header and each Value needs to belong to corresponding Header(Key) , for example the above data needs to be in the following format

Environment       data_class      build_by      description      application_id
env1              Class1          group1      anything            abc
env2              Class2          group1      anything            def

Any ideas will be appreciated!

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-10-2020 09:10 PM

Sample query:

| makeresults 
| eval _raw="{\"account_id\": \"1234567890\",\"created_time\": \"2019-05-16T15:00:45.000Z\",\"region\": \"us-1\",\"tags\": [ {\"Key\": \"environment\",\"Value\": \"env1\" }, {\"Key\" :\"data_class\",\"Value\": \"Class1\"},{\"Key\": \"built_by\",\"Value\": \"group1\" },{\"Key\": \"description\",\"Value\": \"anything\" },{\"Key\":\"application_id\",\"Value\": \"abc\" }] }" 
| spath
| eval _raw=mvzip('tags{}.Key','tags{}.Value',"=")
| kv
| fields - _* tags*

Recommend:

your_search
| spath
| eval _raw=mvzip('tags{}.Key','tags{}.Value',"=")
| kv
| fields - _* tags*
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-19-2019 10:58 PM

@mlevsh

Can you please try this?

index=YOUR_INDEX | rename tags{}.Key as Keys, tags{}.Value as Values | eval temp=mvzip(Keys,Values) | mvexpand temp | eval Key=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table account_id Key Value | eval {Key} = Value | stats values(*) as * by account_id | fields - Key, Value

My Sample Search:

| makeresults | eval _raw="{\"account_id\": \"1234567890\",\"created_time\": \"2019-05-16T15:00:45.000Z\",\"region\": \"us-1\",\"tags\": [ {\"Key\": \"environment\",\"Value\": \"env1\" }, {\"Key\" :\"data_class\",\"Value\": \"Class1\"},{\"Key\": \"built_by\",\"Value\": \"group1\" },{\"Key\": \"description\",\"Value\": \"anything\" },{\"Key\":\"application_id\",\"Value\": \"abc\" }] }" | kv | rename tags{}.Key as Keys, tags{}.Value as Values | eval temp=mvzip(Keys,Values) | mvexpand temp | eval Key=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table account_id Key Value | eval {Key} = Value | stats values(*) as * by account_id | fields - Key, Value

Thanks

0 Karma
Reply

koshyk
Super Champion
‎05-19-2019 12:26 PM

Your payload is not pure JSON, but a mixed message of timestamp && JSON
So there are two steps
1. Do at indextime for extracting timestamp and line breaker etc.
2. Do at searchtime for pure JSON message using REPORT-

The link https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html will explain you how to do it using props & transforms.

Alternatively, if you Just wanted to do at Search time, you can use SPATH command. Feed the pure JSON into spath command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath

0 Karma
Reply

mlevsh
Builder
‎05-20-2019 09:09 AM

@koshyk,
We are running Slunk Cloud and cannot easily make any modifications on Indexers or Search heads

We did tried to use spath command, but were not successful so far

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...