Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create table from JSON?

Khanu89
Path Finder
‎05-19-2022 08:11 PM

Hello - Thank you in advance for the help. I am getting following raw data in Splunk events which I'd like to pull into a table format.

I would like to pull the following: Host, Success, and Error field as columns for my table.

Screen Shot 2022-05-19 at 10.06.55 PM.png

 

I tried this query but no success:

| makeresults
| eval _raw="{\"host\"},{\"success\",{\"error\"}"
| spath path=host{} output=temp
| mvexpand temp
| spath input=temp
| fillnull value="None"
| table host,success,error

Labels (3)
Labels
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:15 PM

@ITWhisperer Here you are. So my code is pinging remote machines and the response is in JSON file. I would like to table the host and success from this response file.

Screen Shot 2022-05-20 at 12.13.28 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:20 PM

It looks like from your graphic that the JSON has been split across multiple events - is that right?

If so, will host, success and error always be in the same event?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:26 PM

yeah I do not know why they are split up in multiple events but the host, success and error will be in same event.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:33 PM

Try something like this

| rex "\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"
0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:36 PM

I tried and it didn't extract any fields.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:42 PM

Try this

| rex "(?ms)\"host\":\s(?<host>[^,]*),.*?\"success\":\s(?<success>[^,]*),.*?\"error\":\s(?<error>[^,]*),"

I haven't tested this because I don't have an example to use (which is why I asked for the event to be in a code block, and I am not about to type it all in) 😀

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:12 PM

It looks like (from the graphic) that host, success and error are elements of an object, which is part of a collection of similar objects. Is this right? Can you share a larger example of the whole event in a code block rather than a graphic (redacting any sensitive information of course)?

0 Karma
Reply

Khanu89
Path Finder
‎05-19-2022 10:32 PM

@ITWhisperer  hope this helps.

Screen Shot 2022-05-20 at 12.27.06 AM.png

 

Here is my JSON file 

Screen Shot 2022-05-20 at 12.30.06 AM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:39 PM

It looks like your file is being broken into events by the presence of timestamps rather than the end of the array element

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...