Solved: Re: How to parse JSON with multiple array

cuongnguyen112 · ‎10-20-2019

hi, i got data like this:

{
"source": "sadmin",
"sysinfo": {
"process_list": {
"56": {
"name": "nginx on",
"pid": 56,
"uid": 0,
"gid": 0
},
"57": {
"name": "nginx: worker process",
"pid": 57,
"uid": 33,
"gid": 33
},
}
}
}
i need to create a table from these data like below:

could any one please help me !!

kamlesh_vaghela · ‎10-20-2019

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

View solution in original post

kamlesh_vaghela · ‎10-20-2019

@cuongnguyen112

Can you please try this?

YOUR_SEARCH | rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Sample Search:

| makeresults 
| eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" 
| spath 
| rename sysinfo.process_list.* as * 
| eval field_name="",uid="",gid="",name="",pid="" 
| foreach *.* 
    [ eval field_name= mvindex(split("<<FIELD>>","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'<<FIELD>>'] 
| eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) 
| fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3)
| table name pid uid gid

Thanks

cuongnguyen112 · ‎10-20-2019

you're my hero, exactly what i needed

kamlesh_vaghela · ‎10-21-2019

🙂 Glad to help you.

!! Happy Splunking !!

How to parse JSON with multiple array

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!