How to convert multiple individual json objects in...

damode1 · ‎05-21-2023

I want to convert some of the below individual json objects in the event into nested single json object like the second example

Current Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
    "Company": "Microsoft Corporation",
    "TerminalSessionId": 0,
    "UtcTime": "2018-08-20 15:18:59.929",
    "Product": "Microsoft® Windows® Operating System",
}

Expected Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "EventData":{
        "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
        "Company": "Microsoft Corporation",
        "TerminalSessionId": 0,
        "UtcTime": "2018-08-20 15:18:59.929",
        "Product": "Microsoft® Windows® Operating System",
    }
}

I have tried to playaround with json functions but unable to figure out how to achieve the above outcome.

Can someone please help ?

yuanliu · ‎05-23-2023

This seems to be the exact question as How to convert multiple individual json objects into a nested json object in an event ? You can checkout answer there. But I'm curious: why the interest all in a sudden? This doesn't seem to be a very practical use of Splunk. Such tasks can be more easily accomplished outside of SPL.

damode1 · ‎05-23-2023

ya sorry about that. my original post was repeatedly getting tagged as spam post for some unknown reason, hence, unfortunately I had to post it from another account.

How to convert multiple individual json objects into a nested json object ?

eval

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?