Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create table from JSON?

Khanu89
Path Finder
‎05-19-2022 08:11 PM

Hello - Thank you in advance for the help. I am getting following raw data in Splunk events which I'd like to pull into a table format.

I would like to pull the following: Host, Success, and Error field as columns for my table.

Screen Shot 2022-05-19 at 10.06.55 PM.png

 

I tried this query but no success:

| makeresults
| eval _raw="{\"host\"},{\"success\",{\"error\"}"
| spath path=host{} output=temp
| mvexpand temp
| spath input=temp
| fillnull value="None"
| table host,success,error

Labels (3)
Labels
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:15 PM

@ITWhisperer Here you are. So my code is pinging remote machines and the response is in JSON file. I would like to table the host and success from this response file.

Screen Shot 2022-05-20 at 12.13.28 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:20 PM

It looks like from your graphic that the JSON has been split across multiple events - is that right?

If so, will host, success and error always be in the same event?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:26 PM

yeah I do not know why they are split up in multiple events but the host, success and error will be in same event.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:33 PM

Try something like this

| rex "\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:36 PM

I tried and it didn't extract any fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:42 PM

Try this

| rex "(?ms)\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"

I haven't tested this because I don't have an example to use (which is why I asked for the event to be in a code block, and I am not about to type it all in) 😀

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:12 PM

It looks like (from the graphic) that host, success and error are elements of an object, which is part of a collection of similar objects. Is this right? Can you share a larger example of the whole event in a code block rather than a graphic (redacting any sensitive information of course)?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:32 PM

@ITWhisperer  hope this helps.

Screen Shot 2022-05-20 at 12.27.06 AM.png

 

Here is my JSON file 

Screen Shot 2022-05-20 at 12.30.06 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:39 PM

It looks like your file is being broken into events by the presence of timestamps rather than the end of the array element

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...