Need help a parson json and extract in table forma...

usharaniallwyn · ‎05-05-2019

Hi ,
I have a json and i want to extract few details in table format .

The json array is like
[features{
elements{
steps{
name
}
}
}
failed:2,
passed:0]

My query:

source="jsondata.json"  index="art" sourcetype="_json"|mvexpand "features{}.elements{}.failed"|rename "features{}.elements{}.failed" as FailedNumber| eval Status=if(FailedNumber=0,"Pass","Fail")|table Status,FailedNumber

Status FailedNumber

Fail 2
Pass 0
Fail 1

second query :

source="jsondata.json" host="CDC2-L-CG72VP2" index="art" sourcetype="_json"|spath output=myfield path="features{}.elements{}.steps{0}.name"|mvexpand myfield |table myfield

myfield↕

the testcase name is "ValidateNetworkBHUtilization"
the testcase is ValidateTrendAmbulatoryCondition
the testcase is TrendHomeHealthCondition

I want ,

Status FailedNumber myfield↕

Fail 2 the testcase name is "ValidateNetworkBHUtilization"
Pass 0 the testcase is ValidateTrendAmbulatoryCondition
Fail 1 the testcase is TrendHomeHealthCondition

woodcock · ‎05-05-2019

Like this:

index="art" source="jsondata.json"  sourcetype="_json"
| multireport
[ mvexpand "features{}.elements{}.failed"|rename "features{}.elements{}.failed" as FailedNumber
| eval Status=if(FailedNumber=0,"Pass","Fail")
|table Status,FailedNumber
|stats count AS _serial]
[ search host="CDC2-L-CG72VP2"
|spath output=myfield path="features{}.elements{}.steps{0}.name"
|mvexpand myfield
|table myfield
| stats count AS _serial]
| selfjoin _serial

Need help a parson json and extract in table format

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann