Solved: Re: How to parse JSON with multiple array

cuongnguyen112 · ‎10-20-2019

hi, i got data like this:

{
"source": "sadmin",
"sysinfo": {
"process_list": {
"56": {
"name": "nginx on",
"pid": 56,
"uid": 0,
"gid": 0
},
"57": {
"name": "nginx: worker process",
"pid": 57,
"uid": 33,
"gid": 33
},
}
}
}
i need to create a table from these data like below:

could any one please help me !!

kamlesh_vaghela · ‎10-20-2019

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

View solution in original post

kamlesh_vaghela · ‎10-20-2019

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

cuongnguyen112 · ‎10-20-2019

you're my hero, exactly what i needed

kamlesh_vaghela · ‎10-21-2019

🙂 Glad to help you.

!! Happy Splunking !!

How to parse JSON with multiple array

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!