Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you create a table from the following data?

stevepkr84
New Member
‎12-10-2018 12:50 AM

Assuming these 3 docs, how can I create a table where I dedupe by account (I want the most recently ingested event) and display fields account, account_id, resources{].instanceId, the Tag value where Key = Name. This seems easy without trying to extract the Name tag value.

{
    "account_id": 1,
    "account": "dev",
    "resources": [
        {
            "instanceId": 123,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Dave"
                }
            ]
        },
        {
            "instanceId": 456,
            "Tags": [
                {
                    "Key": "CostCentre",
                    "Value": "ABC"
                },
                {
                    "Key": "Name",
                    "Value": "Instance2"
                }
            ]
        }
    ]
}

{
    "account_id": 1,
    "account": "dev",
    "resources": [
        {
            "instanceId": 123,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Dave"
                }
            ]
        }
    ]
}

{
    "account_id": 2,
    "account": "test",
    "resources": [
        {
            "instanceId": 789,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Bob"
                }
            ]
        }
    ]
}

This was my attempt:

| dedup account_id  | rename resources{}.Tags{}.Value AS value, resources{}.Tags{}.Key AS key, resources{}.InstanceId AS id | eval x=mvzip(key, value) | mvexpand x | eval x=split(x,",") | eval key=mvindex(x,0) | search key=Name | eval value=mvindex(x,1) | table account account_id id key value

It almost gives me the correct data, but I get each instance per account duplicated in the row for each Name tag.

Any help would be appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 08:26 AM

@stevepkr84

Can you please try below search?

YOUR_SEARCH | dedup account_id | kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

My Sample Search:

| makeresults 
| eval _raw="{     \"account_id\": 1,     \"account\": \"dev\",     \"resources\": [         {             \"instanceId\": 123,             \"Tags\": [                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance1\"                 },                 {                     \"Key\": \"Owner\",                     \"Value\": \"Dave\"                 }             ]         },         {             \"instanceId\": 456,             \"Tags\": [                 {                     \"Key\": \"CostCentre\",                     \"Value\": \"ABC\"                 },                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance2\"                 }             ]         }     ] } " 
| kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 08:26 AM

@stevepkr84

Can you please try below search?

YOUR_SEARCH | dedup account_id | kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

My Sample Search:

| makeresults 
| eval _raw="{     \"account_id\": 1,     \"account\": \"dev\",     \"resources\": [         {             \"instanceId\": 123,             \"Tags\": [                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance1\"                 },                 {                     \"Key\": \"Owner\",                     \"Value\": \"Dave\"                 }             ]         },         {             \"instanceId\": 456,             \"Tags\": [                 {                     \"Key\": \"CostCentre\",                     \"Value\": \"ABC\"                 },                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance2\"                 }             ]         }     ] } " 
| kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

Thanks

0 Karma
Reply
Solved! Jump to solution

stevepkr84
New Member
‎12-10-2018 08:41 AM

This looks about right, thank you. The only minor issue is that account_id and account display twice per row.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 10:22 AM

Yes, bcoz there are multiple key-value pairs with single instanceId. How do you want to display data?

0 Karma
Reply
Solved! Jump to solution

stevepkr84
New Member
‎12-11-2018 12:37 AM

Exactly as it comes out with your query, but ideally without the duplicated account_id and account showing on each row. But this is good enough for sure so will access the answer, thanks again.

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎12-10-2018 08:19 AM

What do you want your table to look like?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...