Solved: How to convert array of json in multiple split lin...

felipesodre · ‎02-28-2022

Any help is greatly appreciated.

How to convert the following json into a table?

{
"Summary":{
"jobType":"jobA",
"summaryId":22746666,
"objectsArchived":[
{
"name":"tableA",
"count":855
},
{
"name":"tableB",
"count":678
}
]
}
}

Jobtype | SummaryId | Table | Count

jobA. | 22746666. | tableA | 855

jobA. | 22746666 | tableB | 678

ITWhisperer · ‎02-28-2022

| spath Summary.objectsArchived{} output=objectsArchived
| mvexpand objectsArchived
| spath Summary.jobType output=jobType
| spath Summary.summaryId output=summaryId
| spath input=objectsArchived
| rename name as Table
| table jobType summaryId Table count

View solution in original post

ITWhisperer · ‎02-28-2022

| spath Summary.objectsArchived{} output=objectsArchived
| mvexpand objectsArchived
| spath Summary.jobType output=jobType
| spath Summary.summaryId output=summaryId
| spath input=objectsArchived
| rename name as Table
| table jobType summaryId Table count

How to convert array of json in multiple split lines?

field extraction

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How to convert array of json in multiple split lines?

field extraction

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar