Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert multiple individual json objects into a nested json object ?

damode1
Path Finder
‎05-21-2023 04:10 PM

I want to convert some of the below individual json objects in the event into nested single json object like the second example

Current Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
    "Company": "Microsoft Corporation",
    "TerminalSessionId": 0,
    "UtcTime": "2018-08-20 15:18:59.929",
    "Product": "Microsoft® Windows® Operating System",
}

Expected Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "EventData":{
        "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
        "Company": "Microsoft Corporation",
        "TerminalSessionId": 0,
        "UtcTime": "2018-08-20 15:18:59.929",
        "Product": "Microsoft® Windows® Operating System",
    }
}


I have tried to playaround with json functions but unable to figure out how to achieve the above outcome.

Can someone please help ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-28-2023 11:49 PM

@damode1 

Can you please try this?

YOUR_SEARCH
| spath 
| eval EventData = json_object("FileVersion", FileVersion,"Company",Company, "TerminalSessionId",TerminalSessionId, "UtcTime",UtcTime, "Product",Product) 
| eval NewJson = json_object("ID",ID, "Timestamp", Timestamp,"EventData",json(EventData))
| table _raw NewJson

 

My Sample Search :

| makeresults 
| eval _raw="{\"ID\": 1,\"Timestamp\": \"2023-05-18T05:07:59.940594300Z\",\"FileVersion\": \"10.0.17134.1 (WinBuild.160101.0800)\",\"Company\": \"Microsoft Corporation\",\"TerminalSessionId\": 0,\"UtcTime\": \"2018-08-20 15:18:59.929\",\"Product\": \"Microsoft® Windows® Operating System\",}" 
| spath 
| eval EventData = json_object("FileVersion", FileVersion,"Company",Company, "TerminalSessionId",TerminalSessionId, "UtcTime",UtcTime, "Product",Product) 
| eval NewJson = json_object("ID",ID, "Timestamp", Timestamp,"EventData",json(EventData))
| table _raw NewJson

 

 

Screenshot 2023-05-29 at 12.18.16 PM.png

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...