Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a table from JSON?

Karanreddy
Engager
‎05-03-2023 04:27 PM

Hi, 

Can someone please help me to build a table using following JSON

My search results  as follows 

 

 

{ [-]
   docker: { [+]
   }
   kubernetes: { [+]
   }
   log: LOGGER {"name":"some text here","pathname":"/some/path","timestamp":"2023-05-03T20:35:06Z","action":"pageview","payload":{"category":"cloths","country":"US","appEnv":"production"},"uID":"0023493543"}
   stream: stdout
}

 

 

From this I would like draw the table as 

uID pathname category eventName country
0023493543
/some/path
cloths
some text here
 US


Thanks in advance

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-11-2023 09:48 AM

Your raw event is itself in JSON, in which the log node embeds another JSON object mixed with other text.  Try extract that embedded JSON first.

The following assumes that the embedded JSON is not escaped in some other ways but is already conformant:

| rex field=log "LOGGER (?<LOGGER>{.*})"
| spath input=LOGGER

The above will not work if the LOGGER piece is escaped in some way.  Please post your sample data in raw text format if that fails

Tags (1)
0 Karma
Reply

TrangCIC81
Communicator
‎05-11-2023 12:14 AM

To create a table from the given JSON, you will need to extract the relevant fields from the "log" object and create a new object containing these fields. You can then use this object to populate the rows of a table.

Here's an example of how you can achieve this using Javascript&colon;

// Sample JSON data
const jsonData = {
  docker: {},
  kubernetes: {},
  log: {
    LOGGER: {
      name: "some text here",
      pathname: "/some/path",
      timestamp: "2023-05-03T20:35:06Z",
      action: "pageview",
      payload: {
        category: "cloths",
        country: "US",
        appEnv: "production"
      },
      uID: "0023493543"
    }
  },
  stream: "stdout"
};

// Extract the relevant fields from the log object
const logData = jsonData.log.LOGGER;
const { uID, pathname, payload } = logData;
const { category, country } = payload;

// Create a new object with the extracted fields
const rowData = { uID, pathname, category, eventName: logData.name, country };

// Create an array with the row data
const rows = [rowData];

// Create the table
const table = `
<table>
  <thead>
    <tr>
      <th>uID</th>
      <th>pathname</th>
      <th>category</th>
      <th>eventName</th>
      <th>country</th>
    </tr>
  </thead>
  <tbody>
    ${rows.map(row => `
      <tr>
        <td>${row.uID}</td>
        <td>${row.pathname}</td>
        <td>${row.category}</td>
        <td>${row.eventName}</td>
        <td>${row.country}</td>
      </tr>
    `).join('')}
  </tbody>
</table>
`;

console.log(table);

This code will output an HTML table with the following structure:

 
<table>
<thead>
<tr>
<th>uID</th>
<th>pathname</th>
<th>category</th>
<th>eventName</th>
<th>country</th>
</tr>
</thead>
<tbody>
<tr>
<td>0023493543</td>
<td>/some/path</td>
<td>cloths</td>
<td>some text here</td>
<td>US</td>
</tr>
</tbody>
</table>   

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top