Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Zip values from JSON.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Zip values from JSON.
I want to get the total units by PartNumber. I tried using spath but it didnt work maybe I am doing something wrong, this is my 1st time work with Json bodies in Splunk, can someone help. Thanks.
{ [-]
app: { [+]
}
dtm: 2019-09-16 11:21:30.780 PDT
logger: transaction.com.WEB_ORDER_CREATE
msg: { [-]
data: { [-]
cartId: 00000000-784f-642d-d000-0000784f142d
casId: a493ff7e-2d87-416c-ba08-0663107e958c
clientSubType: web.common
clientType: web
cosId: 80f1a259-7187-4f01-9c85-acd7e054233d
deliveryGroup: SINGLE_ADDRESS
features: [ [-]
crd
]
fraudDecision: NF
lineItems: [ [-]
{ [-]
commitCode: 0
deliveryDate: Wed, Sep 18
deliveryType: STH
partNumber: MRYR2LL/A
product: Phone 64GB Black
qty: 2
resolvedDate: Wed, Sep 18
shipMethodCode: E2
}
{ [-]
commitCode: 0
deliveryDate: Within 5 days after shipping
deliveryType: STH
partNumber: MRW62ZM/A
product: Phone Case
qty: 1
resolvedDate: In Stock
shipMethodCode: UG
}
]
ops.response: SUCCEEDED
orderType: order
payments: [ [+]
]
pssId: Wb90d652a55994842b0474288ba0dea76
remoteHost: 17.123.345
storeFront: { [+]
}
webOrderNumber: W12345678
}
headerData: { [+]
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sandeepmakkena,
please find below the query that results in a table containing the number of partNumber per qty.
|makeresults|eval _raw="{
\"app\": {
\"foo1\": \"bar1\"
},
\"dtm\": \"2019-09-16 11:21:30.780 PDT\",
\"logger\": \"transaction.com.WEB_ORDER_CREATE\",
\"msg\": {
\"data\": {
\"cartId\": \"00000000-784f-642d-d000-0000784f142d\",
\"casId\": \"a493ff7e-2d87-416c-ba08-0663107e958c\",
\"clientSubType\": \"web.common\",
\"clientType\": \"web\",
\"cosId\": \"80f1a259-7187-4f01-9c85-acd7e054233d\",
\"deliveryGroup\": \"SINGLE_ADDRESS\",
\"features\": [\"crd\"],
\"fraudDecision\": \"NF\",
\"lineItems\": [{
\"commitCode\": 0,
\"deliveryDate\": \"Wed, Sep 18\",
\"deliveryType\": \"STH\",
\"partNumber\": \"MRYR2LL/A\",
\"product\": \"Phone 64GB Black\",
\"qty\": 2,
\"resolvedDate\": \"Wed, Sep 18\",
\"shipMethodCode\": \"E2\"
},
{
\"commitCode\": 0,
\"deliveryDate\": \"Within 5 days after shipping\",
\"deliveryType\": \"STH\",
\"partNumber\": \"MRW62ZM/A\",
\"product\": \"Phone Case\",
\"qty\": 1,
\"resolvedDate\": \"In Stock\",
\"shipMethodCode\": \"UG\"
}
],
\"ops.response\": \"SUCCEEDED\",
\"orderType\": \"order\",
\"payments\": [{
\"foo2\": \"bar2\"
}],
\"pssId\": \"Wb90d652a55994842b0474288ba0dea76\",
\"remoteHost\": \"17.123.345\",
\"storeFront\": {
\"foo3\": \"bar3\"
},
\"webOrderNumber\": \"W12345678\"
},
\"headerData\": {
\"foo4\": \"bar4\"
}
}
}"|spath |rename msg.data.lineItems{}.partNumber as partNumber msg.data.lineItems{}.qty as qty |table partNumber, qty| eval x=mvzip(partNumber, qty)|table x |mvexpand x
| eval x = split(x,",")|eval partNumber = mvindex(x,0)|eval qty=mvindex(x,1)|table partNumber,qty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sandeepmakkena
Can you please share valid JSON event into code block?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
