Solved: How to extract fields from a JSON file from Google...

guimilare · ‎09-10-2015

Hi dear Splunkers

I have to following JSON given by a REST calling at Google Analytics:

{"kind":"analytics#gaData","id":"https://www.googleapis.com/analytics/v3/data/ga?ids=ga:XXXXXXXX&dimensions=ga:operatingSystem&metrics=ga:users&sort=-ga:users&start-date=30daysAgo&end-date=yesterday","query":{"start-date":"30daysAgo","end-date":"yesterday","ids":"ga:XXXXXXXX","dimensions":"ga:operatingSystem","metrics":["ga:users"],"sort":["-ga:users"],"start-index":1,"max-results":1000},"itemsPerPage":1000,"totalResults":9,"selfLink":"https://www.googleapis.com/analytics/v3/data/ga?ids=ga:XXXXXXXX&dimensions=ga:operatingSystem&metrics=ga:users&sort=-ga:users&start-date=30daysAgo&end-date=yesterday","profileInfo":{"profileId":"XXXXXXXX","accountId":"XXXXXXXX","webPropertyId":"XXXXXXXX-X","internalWebPropertyId":"XXXXXXXX","profileName":"Todos os dados do website","tableId":"ga:XXXXXXXX"},"containsSampledData":false,"columnHeaders":[{"name":"ga:operatingSystem","columnType":"DIMENSION","dataType":"STRING"},{"name":"ga:users","columnType":"METRIC","dataType":"INTEGER"}],"totalsForAllResults":{"ga:users":"17700"},"rows":[["Windows","13440"],["Android","2131"],["iOS","1439"],["Linux","281"],["Macintosh","280"],["Windows Phone","78"],["(not set)","29"],["Chrome OS","19"],["BlackBerry","3"]]}

I'm having a hard time trying to use spath so I can break the data I need as follows:

OS                  Number
Windows             13440
Android              2131
iOS                  1439
Linux                 281
Macintosh             280
Windows Phone          78
(not set)              29
Chrome OS              19
BlackBerry              3

Can you guys help me?
How can I use spath (or any other tool) to do this?
Thanks in advance!

somesoni2 · ‎09-10-2015

Try this

Your base search | table _raw | rex mode=sed "s/\[(\"[^\"]+\"),(\"[^\"]+\")\]/{\"OS\":\1,\"Number\":\2}/g" | spath | table rows* | rename rows{}.* as * | table OS Number

This will give you multivalued field for OS and Number. If you further split each OS as separate event, try this

 Your base search | table _raw | rex mode=sed "s/\[(\"[^\"]+\"),(\"[^\"]+\")\]/{\"OS\":\1,\"Number\":\2}/g" | spath | table rows* | rename rows{}.* as * | eval temp=mvzip(OS,Number,"##") | table temp | mvexpand temp | rex field=temp "(?<OS>.*)##(?<Number>.*)"| table OS Number

View solution in original post

somesoni2 · ‎09-10-2015

Try this

Your base search | table _raw | rex mode=sed "s/\[(\"[^\"]+\"),(\"[^\"]+\")\]/{\"OS\":\1,\"Number\":\2}/g" | spath | table rows* | rename rows{}.* as * | table OS Number

This will give you multivalued field for OS and Number. If you further split each OS as separate event, try this

 Your base search | table _raw | rex mode=sed "s/\[(\"[^\"]+\"),(\"[^\"]+\")\]/{\"OS\":\1,\"Number\":\2}/g" | spath | table rows* | rename rows{}.* as * | eval temp=mvzip(OS,Number,"##") | table temp | mvexpand temp | rex field=temp "(?<OS>.*)##(?<Number>.*)"| table OS Number

guimilare · ‎09-11-2015

Thank you somesoni2 !
It worked perfectly!!
Best regards!

How to extract fields from a JSON file from Google Analytics API using spath or other options?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation