How to convert multiple individual json objects in...

dm1 · ‎05-21-2023

I want to convert some of the below individual json objects in the event into nested single json object like the second example

Current Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
    "Company": "Microsoft Corporation",
    "TerminalSessionId": 0,
    "UtcTime": "2018-08-20 15:18:59.929",
    "Product": "Microsoft® Windows® Operating System",
}

Expected Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "EventData":{
        "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
        "Company": "Microsoft Corporation",
        "TerminalSessionId": 0,
        "UtcTime": "2018-08-20 15:18:59.929",
        "Product": "Microsoft® Windows® Operating System",
    }

}

I have tried to playaround with json functions but unable to figure out how to achieve the above outcome.

Can someone please help ?

yuanliu · ‎05-23-2023

If you are on Splunk 8 or later, you can use json_object to compose a new object.

| eval json = json_object("ID", ID, "Timestamp", Timestamp, "EventData", json_object("FileVersion", FileVersion, "Company", Company, "TerminalSessionId", TerminalSessionId, "UtcTime", UtcTime, "Product", Product))

damode1 · ‎05-23-2023

Apologies. I realised my understanding of the data was incorrect.

I have put the requirement and current data format on this new post

https://community.splunk.com/t5/Splunk-Search/How-to-convert-nested-xml-block-into-json-formatted-ne...

How to convert multiple individual json objects into a nested json object in an event ?

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?