Splunk Search

How to create two multi value fields to produce a json object of name value pairs?

spinnerdog
Explorer

I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to create a json object that looks like this.

{ key1:val1, key2:val2, key3:val3 }

index=test5 earliest=@s-24h
apicall IN (aws_es_listDomainNames aws_es_listTags) NOT err
| eval resourceid=coalesce(resourceid, DomainName)
| eval uid=resourceid+accountid+region
| rename "TagList{}.Key" AS keys
| rename "TagList{}.Value" AS values
| eval tags=mvzip('keys','values'," = ") | nomv tags.    //  this matches up the key and value pairs but isn't useful with json_object.
 
I've tried using json_object but json_object only accepts arguments and not a string of key value pairs.  Is there a way to produce a json object from the two multivalue fields above?
 
Thanks.
 
 
Labels (2)
0 Karma

rymundo_splunk
Splunk Employee
Splunk Employee

Hi, I think something like this will work

| makeresults
| eval json="{ \"stuff\":[{\"name\": \"name0\", \"value\": \"value0\"},{\"name\": \"name1\", \"value\": \"value1\"}] }"
| spath input=json
| rename "stuff{}.name" as names,
"stuff{}.value" as values,
| eval range=mvrange(0,mvcount(names)),
stuff=mvmap(range,"\"".mvindex(names,range)."\":\"".mvindex(values,range)."\"")
| nomv stuff
| eval stuff="{".replace(stuff,"\n",",")."}"
| table json stuff

 

rymundo_splunk_0-1654239459927.png

 

 

0 Karma

rymundo_splunk
Splunk Employee
Splunk Employee

My bad.  This is a bit cleaner.  Clearly I'm up too late and forgot about mvjoin

| makeresults
| eval json="{ \"stuff\":[{\"name\": \"name0\", \"value\": \"value0\"},{\"name\": \"name1\", \"value\": \"value1\"}] }"
| spath input=json
| rename "stuff{}.name" as names,
"stuff{}.value" as values,
| eval range=mvrange(0,mvcount(names)),
stuff=mvmap(range,"\"".mvindex(names,range)."\":\"".mvindex(values,range)."\""),
stuff=mvjoin(stuff,",")
| eval stuff="{".stuff."}"
| table json stuff
0 Karma

spinnerdog
Explorer

excellent!! Thank you.

Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...