Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse JSON with multiple array

cuongnguyen112
Engager
‎10-20-2019 09:07 PM

hi, i got data like this:

{
"source": "sadmin",
"sysinfo": {
"process_list": {
"56": {
"name": "nginx on",
"pid": 56,
"uid": 0,
"gid": 0
},
"57": {
"name": "nginx: worker process",
"pid": 57,
"uid": 33,
"gid": 33
},
}
}
}
i need to create a table from these data like below: alt text

could any one please help me !!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-20-2019 11:21 PM

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-20-2019 11:21 PM

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

0 Karma
Reply
Solved! Jump to solution

cuongnguyen112
Engager
‎10-20-2019 11:38 PM

you're my hero, exactly what i needed

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-21-2019 12:27 AM

🙂 Glad to help you.

!! Happy Splunking !!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

We are thrilled to announce the winners of the Splunk Build-a-thon, our first-ever hackathon dedicated to ...

Why You Should Register for Splunk University at .conf25

Level up before .conf25 even begins Splunk University is back in Boston, September 6–8, and it’s your chance ...

Building Splunk proficiency is a marathon, not a sprint

Building Splunk skills is a lot like training for a marathon. It’s about consistent progress, celebrating ...
Top