Solved: How to extract the nested array coordinates from J...

weiquanswq · ‎10-06-2016

Hi !!
I am new to Splunk and trying to extract the array coordinates from Json.

{"type":"Feature","geometry":{"type":"MultiPoint","coordinates":[[103.62107,1.27478],[103.622,1.29625],  ……., [103.6224,1.28207]]}}

Is anyone able to help me out here?

Thanks

weiquanswq · ‎10-12-2016

I able to achieve the results I want using spath and extract according to the index.

My code is as follows:
... | spath path=features{}.geometry.coordinates{}{0} output=a | spath path=features{}.geometry.coordinates{}{1} output=b | table a b | eval x=mvzip(a,b)| mvexpand x

Hope this will be useful. 🙂

View solution in original post

weiquanswq · ‎10-12-2016

I able to achieve the results I want using spath and extract according to the index.

My code is as follows:
... | spath path=features{}.geometry.coordinates{}{0} output=a | spath path=features{}.geometry.coordinates{}{1} output=b | table a b | eval x=mvzip(a,b)| mvexpand x

Hope this will be useful. 🙂

sshelly_splunk · ‎10-11-2016

Try this in your props.conf:
under the sourcetype or monitor stanza:

Example:

[myjson_sourcetype]
EXTRACT-coordinates = `\[\[(?P<coord_1>\S+)],\[(?P<coord_2>\S+)\].+\[(?P<coord_3>\S+)\]\]`

The above will create the 3 fields (coord_1, 2 and 3. Assuming the data comes in like that, you should be good to go. If not, please post more of the data, so we can all take a look.

How to extract the nested array coordinates from JSON?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!