Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert JSON into specific table format

rsharma1984
Explorer
‎02-10-2020 08:30 AM

This what we have in logs: index="xyz" INFO certvalidationtask

And this prints a JSON object which consists of a list of commonName + ExpirationDate

Stage.env e401a4ee-1652-48f6-8785-e8536524a317 [APP/PROC/WEB/0] - - 2020-02-10 16:09:01.525  INFO 22 --- [pool-1-thread-1] c.a.c.f.c.task.CertValidationTask        : {commonName='tiktok.com', expirationDate='2020-05-21 17:50:20'}{commonName='instagram.com', expirationDate='2020-07-11 16:56:37'}{commonName='blahblah.com', expirationDate='2020-12-08 11:30:42'}{commonName='advantage.com', expirationDate='2020-12-10 11:41:31'}{commonName='GHGHAGHGH', expirationDate='2021-05-19 08:34:03'}{commonName='Apple Google Word Wide exercise', expirationDate='2023-02-07 15:48:47'}{commonName='some internal cert1', expirationDate='2026-06-22 13:02:27'}{commonName='Some internal cert2', expirationDate='2036-06-22 11:23:21'}

I wanted a table which contains 2 columns -> Common Name & Expiration Date. Where if the expiration date is less than 30 days from the current date we show that in RED color, for less than 90 days we show in Yellow, everything else in Green.

Much much thanks in Advanced.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-10-2020 09:27 AM

You could do this with rex and some eval

index="xyz" INFO certvalidationtask 
|rex max_match=0 "commonName=\'(?P<commonName>[^\']+)\'\,\sexpirationDate=\'(?P<expirationDate>[^\']+)"
|eval temp=mvzip(commonName,expirationDate,"#")
|mvexpand temp
|rex field=temp "(?<commonName>.+)#(?<expirationDate>.+)"
|eval expiresInDays=floor((strptime(expirationDate, "%Y-%m-%d %H:%M:%S") - now())/86400)
|table commonName expirationDate expiresInDays

Then you can use table formatting to set your colours

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-10-2020 09:27 AM

You could do this with rex and some eval

index="xyz" INFO certvalidationtask 
|rex max_match=0 "commonName=\'(?P<commonName>[^\']+)\'\,\sexpirationDate=\'(?P<expirationDate>[^\']+)"
|eval temp=mvzip(commonName,expirationDate,"#")
|mvexpand temp
|rex field=temp "(?<commonName>.+)#(?<expirationDate>.+)"
|eval expiresInDays=floor((strptime(expirationDate, "%Y-%m-%d %H:%M:%S") - now())/86400)
|table commonName expirationDate expiresInDays

Then you can use table formatting to set your colours

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-10-2020 09:44 AM

Whoops - overlooked its multivalued.
Edited to also use mvzip and mvexpand, otherwise it would only work for for the first cert.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

rsharma1984
Explorer
‎02-10-2020 10:22 AM

Thank you Genius @nickhillscpl

Any idea on coloring?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-10-2020 11:08 AM

In the table view, click the little paintbrush icon at the top of each column. Select Colour-Ranges

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

rsharma1984
Explorer
‎02-10-2020 11:11 AM

Thanks Boss

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...