Solved: Re: Get arbitrary nested key-value pairs from JSON

mldavis195 · ‎03-28-2023

I have some JSON that looks similar to this:

{
    "foo": "bar",
    "x": {
        "hello": "world",
        "y": {
            "A": 400,
            "B": 500,
            "C": 300
        }
    }
}
{
    "foo": "baz",
    "x": {
        "something": "test",
        "y": {
            "A": 100,
            "D": 200,
            "E": 600
        }
    }
}

What I would like is to extract everything in x.y for a sum but the keys are dynamic and I won't know them all in advance:

A	500
B	500
C	300
D	200
E	600

I have been stuck on this one for a while. Can anyone help me?

yuanliu · ‎03-28-2023

If that's your raw event, you would have fields like x.y.A, x.y.B, etc., already. Just do

| stats sum(x.y.*) as *

If they are in an extracted field, say jsonfield, spath first.

| spath input=jsonfield
| stats sum(x.y.*) as *

View solution in original post

yuanliu · ‎03-28-2023

If that's your raw event, you would have fields like x.y.A, x.y.B, etc., already. Just do

| stats sum(x.y.*) as *

If they are in an extracted field, say jsonfield, spath first.

| spath input=jsonfield
| stats sum(x.y.*) as *

mldavis195 · ‎03-28-2023

Thanks, seems so obvious after seeing your solution.

How do I get arbitrary nested key-value pairs from JSON?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation