Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do you create a table from the following data?

stevepkr84
New Member
‎12-10-2018 12:50 AM

Assuming these 3 docs, how can I create a table where I dedupe by account (I want the most recently ingested event) and display fields account, account_id, resources{].instanceId, the Tag value where Key = Name. This seems easy without trying to extract the Name tag value.

{
    "account_id": 1,
    "account": "dev",
    "resources": [
        {
            "instanceId": 123,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Dave"
                }
            ]
        },
        {
            "instanceId": 456,
            "Tags": [
                {
                    "Key": "CostCentre",
                    "Value": "ABC"
                },
                {
                    "Key": "Name",
                    "Value": "Instance2"
                }
            ]
        }
    ]
}

{
    "account_id": 1,
    "account": "dev",
    "resources": [
        {
            "instanceId": 123,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Dave"
                }
            ]
        }
    ]
}

{
    "account_id": 2,
    "account": "test",
    "resources": [
        {
            "instanceId": 789,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Instance1"
                },
                {
                    "Key": "Owner",
                    "Value": "Bob"
                }
            ]
        }
    ]
}

This was my attempt:

| dedup account_id  | rename resources{}.Tags{}.Value AS value, resources{}.Tags{}.Key AS key, resources{}.InstanceId AS id | eval x=mvzip(key, value) | mvexpand x | eval x=split(x,",") | eval key=mvindex(x,0) | search key=Name | eval value=mvindex(x,1) | table account account_id id key value

It almost gives me the correct data, but I get each instance per account duplicated in the row for each Name tag.

Any help would be appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 08:26 AM

@stevepkr84

Can you please try below search?

YOUR_SEARCH | dedup account_id | kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

My Sample Search:

| makeresults 
| eval _raw="{     \"account_id\": 1,     \"account\": \"dev\",     \"resources\": [         {             \"instanceId\": 123,             \"Tags\": [                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance1\"                 },                 {                     \"Key\": \"Owner\",                     \"Value\": \"Dave\"                 }             ]         },         {             \"instanceId\": 456,             \"Tags\": [                 {                     \"Key\": \"CostCentre\",                     \"Value\": \"ABC\"                 },                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance2\"                 }             ]         }     ] } " 
| kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 08:26 AM

@stevepkr84

Can you please try below search?

YOUR_SEARCH | dedup account_id | kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

My Sample Search:

| makeresults 
| eval _raw="{     \"account_id\": 1,     \"account\": \"dev\",     \"resources\": [         {             \"instanceId\": 123,             \"Tags\": [                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance1\"                 },                 {                     \"Key\": \"Owner\",                     \"Value\": \"Dave\"                 }             ]         },         {             \"instanceId\": 456,             \"Tags\": [                 {                     \"Key\": \"CostCentre\",                     \"Value\": \"ABC\"                 },                 {                     \"Key\": \"Name\",                     \"Value\": \"Instance2\"                 }             ]         }     ] } " 
| kv 
| spath path=resources{} output=resources 
| mvexpand resources 
| eval _raw=resources 
| kv 
| rename Tags{}.Key as Tags_Key, Tags{}.Value as Tags_Value 
| eval tmp=mvzip(Tags_Key,Tags_Value) | mvexpand tmp | fields account_id,account tmp instanceId | eval key=mvindex(split(tmp,","),0), value=mvindex(split(tmp,","),1) | rename instanceId as id | table account account_id id key value

Thanks

0 Karma
Reply
Solved! Jump to solution

stevepkr84
New Member
‎12-10-2018 08:41 AM

This looks about right, thank you. The only minor issue is that account_id and account display twice per row.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-10-2018 10:22 AM

Yes, bcoz there are multiple key-value pairs with single instanceId. How do you want to display data?

0 Karma
Reply
Solved! Jump to solution

stevepkr84
New Member
‎12-11-2018 12:37 AM

Exactly as it comes out with your query, but ideally without the duplicated account_id and account showing on each row. But this is good enough for sure so will access the answer, thanks again.

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎12-10-2018 08:19 AM

What do you want your table to look like?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...