Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create table from JSON?

Khanu89
Path Finder
‎05-19-2022 08:11 PM

Hello - Thank you in advance for the help. I am getting following raw data in Splunk events which I'd like to pull into a table format.

I would like to pull the following: Host, Success, and Error field as columns for my table.

Screen Shot 2022-05-19 at 10.06.55 PM.png

 

I tried this query but no success:

| makeresults
| eval _raw="{\"host\"},{\"success\",{\"error\"}"
| spath path=host{} output=temp
| mvexpand temp
| spath input=temp
| fillnull value="None"
| table host,success,error

Labels (3)
Labels
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:15 PM

@ITWhisperer Here you are. So my code is pinging remote machines and the response is in JSON file. I would like to table the host and success from this response file.

Screen Shot 2022-05-20 at 12.13.28 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:20 PM

It looks like from your graphic that the JSON has been split across multiple events - is that right?

If so, will host, success and error always be in the same event?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:26 PM

yeah I do not know why they are split up in multiple events but the host, success and error will be in same event.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:33 PM

Try something like this

| rex "\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:36 PM

I tried and it didn't extract any fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:42 PM

Try this

| rex "(?ms)\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"

I haven't tested this because I don't have an example to use (which is why I asked for the event to be in a code block, and I am not about to type it all in) 😀

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:12 PM

It looks like (from the graphic) that host, success and error are elements of an object, which is part of a collection of similar objects. Is this right? Can you share a larger example of the whole event in a code block rather than a graphic (redacting any sensitive information of course)?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:32 PM

@ITWhisperer  hope this helps.

Screen Shot 2022-05-20 at 12.27.06 AM.png

 

Here is my JSON file 

Screen Shot 2022-05-20 at 12.30.06 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:39 PM

It looks like your file is being broken into events by the presence of timestamps rather than the end of the array element

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
Top