Solved: Re: How to edit my search to parse a JSON array an...

jwair · ‎12-08-2016

I have a periodic event with a JSON array that holds some values for different items. I would like to chart one of these values (per component) vs time

E.g.
One event would looks something like:

[
  {
    "name": "ABC",
    "data": {
      "a": 1,
      "b": 5
    }
  },
  {
    "name": "XYZ",
    "data": {
      "a": 2,
      "b": 7
    }
  }
]

The values for a and b change in consequent events, but the structure stays the same.

I would like to chart the values of 'a' for different components. A final output would look like this:

I used 'spath' to parse the JSON array, and I was able to pull the 'name' values and 'a' values, but there were two problems. I could not correlate which value corresponded to which 'name', and when I made a table of the parsed values I got all the 'name' values and all 'a' values in one row corresponding to the event. I might be taking the wrong approach here, but this is what I have:

| ...
| spath input=myField
| rename {}.name AS name, {}.data.a AS a
| table name, a

Could you please help me create the search string to make the chart described above?

somesoni2 · ‎12-08-2016

Give this a try

| ...
 | spath input=myField
 | rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
 | table name, a

View solution in original post

somesoni2 · ‎12-08-2016

Give this a try

| ...
 | spath input=myField
 | rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
 | table name, a

jwair · ‎12-16-2016

Thanks, this works perfectly 🙂

How to edit my search to parse a JSON array and chart values for different components over time?

Introducing the 2024 Splunk MVPs!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0