Solved: How to extract the nested array coordinates from J...

weiquanswq · ‎10-06-2016

Hi !!
I am new to Splunk and trying to extract the array coordinates from Json.

{"type":"Feature","geometry":{"type":"MultiPoint","coordinates":[[103.62107,1.27478],[103.622,1.29625],  ……., [103.6224,1.28207]]}}

Is anyone able to help me out here?

Thanks

weiquanswq · ‎10-12-2016

I able to achieve the results I want using spath and extract according to the index.

My code is as follows:
... | spath path=features{}.geometry.coordinates{}{0} output=a | spath path=features{}.geometry.coordinates{}{1} output=b | table a b | eval x=mvzip(a,b)| mvexpand x

Hope this will be useful. 🙂

View solution in original post

weiquanswq · ‎10-12-2016

I able to achieve the results I want using spath and extract according to the index.

My code is as follows:
... | spath path=features{}.geometry.coordinates{}{0} output=a | spath path=features{}.geometry.coordinates{}{1} output=b | table a b | eval x=mvzip(a,b)| mvexpand x

Hope this will be useful. 🙂

sshelly_splunk · ‎10-11-2016

Try this in your props.conf:
under the sourcetype or monitor stanza:

Example:

[myjson_sourcetype]
EXTRACT-coordinates = `\[\[(?P<coord_1>\S+)],\[(?P<coord_2>\S+)\].+\[(?P<coord_3>\S+)\]\]`

The above will create the 3 fields (coord_1, 2 and 3. Assuming the data comes in like that, you should be good to go. If not, please post more of the data, so we can all take a look.

How to extract the nested array coordinates from JSON?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation