Getting Data In
Highlighted

how to split the json array into multiple new events

Explorer

I have a json like this format

{
  "id":"123412341234",
  "actions": [ 
    {
      "type":"a",
      "status":"b",
      "amount": 1,
      "time_updated": "2013-10-14T11:00"
    },
    {
      "type":"c",
      "status":"d",
      "amount": 1,
      "time_updated": "2013-10-14T12:00"
    }
  ]
}

I want to know how to split the array into multiple new events like

time_updated     id           type status amount
2013-10-14T11:00 123412341234 a    b      1
2013-10-14T12:00 123412341234 c    d      2

Thanks!

Tags (3)
Highlighted

Re: how to split the json array into multiple new events

SplunkTrust
SplunkTrust

Hi wood1986,

have a look at the spath search command, its purpose is to have a straightforward means for extracting information from structured data formats like XML and JSON.

hope this helps ...

cheers, MuS

Highlighted

Re: how to split the json array into multiple new events

Splunk Employee
Splunk Employee

Note, you might have to use spath to get multi-value fields, then mvexpand to get events from each distinct set.

Highlighted

Re: how to split the json array into multiple new events

Path Finder

examples will pretty nice

Highlighted

Re: how to split the json array into multiple new events

SplunkTrust
SplunkTrust

examples you want....so you probably did not read the docs then 😉 there are examples on how to use spath on XML and JSON -> http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Spath#Examples

0 Karma
Highlighted

Re: how to split the json array into multiple new events

Explorer

This example does not address the question. The example describes how to turn an event that has a field with multiple values into multiple events. It does not describe how to turn an event with a JSON array into multiple events. The difference is this:
{ var : val1, var : val2, var : val3 }

vs this
var : [val1, val2, val3].
The example covers the first, the question concerns the second. Does anyone know how to turn a single JSON event with an array of N sub-items into N events, each
with one sub-item?

Highlighted

Re: how to split the json array into multiple new events

SplunkTrust
SplunkTrust

You can do similar thing for JSON arrays as well using spath.

your base search | spath | rename actions{}.* as * |  |mvexpand id | dedup id | eval temp=mvzip(mvzip(mvzip(type,status,"#"),time_updated,"#"),amount,"#") | mvexpand temp | rex field=temp "(?<type>.*)#(?<status>.*)#(?<time_updated>.*)#(?<amount>.*)" | fields - temp | dedup id amount status time_updated type
0 Karma
Highlighted

Re: how to split the json array into multiple new events

Engager

It works.. but strange.. we need to copy as it is...
if we give any spaces, its not working...

0 Karma
Highlighted

Re: how to split the json array into multiple new events

Explorer

Can someone at least confirm whether this is possible or not? (The question was: how to turn a single JSON event with an array of N sub-items into N events, during parsing, not at search time.)

0 Karma
Highlighted

Re: how to split the json array into multiple new events

Path Finder

yes it works as documented. You really have to read the documentation; and it works

0 Karma