Getting Data In

How to parse JSON with multiple array

cuongnguyen112
Engager

hi, i got data like this:

{
"source": "sadmin",
"sysinfo": {
"process_list": {
"56": {
"name": "nginx on",
"pid": 56,
"uid": 0,
"gid": 0
},
"57": {
"name": "nginx: worker process",
"pid": 57,
"uid": 33,
"gid": 33
},
}
}
}
i need to create a table from these data like below: alt text

could any one please help me !!

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

0 Karma

cuongnguyen112
Engager

you're my hero, exactly what i needed

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

🙂 Glad to help you.

!! Happy Splunking !!

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...