Solved: Re: Get arbitrary nested key-value pairs from JSON

mldavis195 · ‎03-28-2023

I have some JSON that looks similar to this:

{
    "foo": "bar",
    "x": {
        "hello": "world",
        "y": {
            "A": 400,
            "B": 500,
            "C": 300
        }
    }
}
{
    "foo": "baz",
    "x": {
        "something": "test",
        "y": {
            "A": 100,
            "D": 200,
            "E": 600
        }
    }
}

What I would like is to extract everything in x.y for a sum but the keys are dynamic and I won't know them all in advance:

A	500
B	500
C	300
D	200
E	600

I have been stuck on this one for a while. Can anyone help me?

yuanliu · ‎03-28-2023

If that's your raw event, you would have fields like x.y.A, x.y.B, etc., already. Just do

| stats sum(x.y.*) as *

If they are in an extracted field, say jsonfield, spath first.

| spath input=jsonfield
| stats sum(x.y.*) as *

View solution in original post

yuanliu · ‎03-28-2023

If that's your raw event, you would have fields like x.y.A, x.y.B, etc., already. Just do

| stats sum(x.y.*) as *

If they are in an extracted field, say jsonfield, spath first.

| spath input=jsonfield
| stats sum(x.y.*) as *

mldavis195 · ‎03-28-2023

Thanks, seems so obvious after seeing your solution.

How do I get arbitrary nested key-value pairs from JSON?

stats

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How do I get arbitrary nested key-value pairs from JSON?

stats

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES