Solved: Re: json to table

arun_kant_sharm · ‎10-15-2019

Hi Experts,

I want to convert Json format into table.
My data have below field
[ [-]
{ [-]
day: Tue
dayOfMonth: 15
duration: (00:00)
month: Oct
program: ssh:notty
sourceHost: ljp1gwd01.axa-di
time: 15:09 - 15:09
user: shaikh
}
{ [-]
day: Thu
dayOfMonth: 3
duration: (00:00)
month: Oct
program: ssh:notty
sourceHost: ljp1gwd01.axa-di
time: 16:33 - 16:33
user: shaikh
}
]

kamlesh_vaghela · ‎10-15-2019

@arun_kant_sharma

Can you please try this?

YOUR_SEARCH  | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user

Example:

| makeresults | eval _raw="[{\"day\": \"Tue\",\"dayOfMonth\": \"15\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"15:09 - 15:09\",\"user\": \"shaikh\" },{\"day\": \"Thu\",\"dayOfMonth\": \"3\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"16:33 - 16:33\",\"user\": \"shaikh\" } ]" | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user

View solution in original post

poete · ‎10-15-2019

Hello @arun_kant_sharma,

here it is:

| makeresults 
| eval _raw="[ { \"day\": \"Tue\",\"dayOfMonth\": 15,\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"15:09 - 15:09\",\"user\": \"shaikh\"},{ \"day\": \"Thu\",\"dayOfMonth: 3,\"duration\": \"(00:00)\",\"month\": \"Oct\",
\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time: \"16:33 - 16:33\",\"user\": \"shaikh\",}]"
| spath 
| rename {}.* as *
| fields - _raw
| table *

kamlesh_vaghela · ‎10-15-2019

@arun_kant_sharma

Can you please try this?

YOUR_SEARCH  | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user

Example:

| makeresults | eval _raw="[{\"day\": \"Tue\",\"dayOfMonth\": \"15\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"15:09 - 15:09\",\"user\": \"shaikh\" },{\"day\": \"Thu\",\"dayOfMonth\": \"3\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"16:33 - 16:33\",\"user\": \"shaikh\" } ]" | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user

kamlesh_vaghela · ‎10-15-2019

@arun_kant_sharma
Can you please share _raw from your event?

arun_kant_sharm · ‎10-15-2019

[{"month": "Oct", "program": "ssh:notty", "user": "shaikh", "time": "15:09 - 15:09", "duration": "(00:00)", "sourceHost": "ljp1gwd01.axa-di", "day": "Tue", "dayOfMonth": "15"}, {"month": "Oct", "program": "ssh:notty", "user": "shaikh", "time": "16:33 - 16:33", "duration": "(00:00)", "sourceHost": "ljp1gwd01.axa-di", "day": "Thu", "dayOfMonth": "3"}]

json to table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!