Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract value with dynamic key name

shimada-k
Explorer
‎03-22-2025 03:10 PM

Hi Experts,

I have the following data. 

{
"TIMESTAMP": 1742677200,
"SYSINFO": "{\"number_of_notconnect_interfaces\":0,\"hostname\":\"test\",\"number_of_transceivers\":{\"10G-LR\":10,\"100G-CWDM4\":20},\"number_of_bfd_peers\":10,\"number_of_bgp_peers\":10,\"number_of_disabled_interfaces\":10,\"number_of_subinterfaces\":{\"Ethernet1\":10,\"Ethernet2\":20},\"number_of_up_interfaces\":1}"
}

I would like to create the table as below, but Ethernet1 or Ethernet2 is a dynamic key (it can be like Ethernet3 or Ethernet4).

Ethernet110
Ethernet220

 

Could someone tell me how to write query to achieve this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2025 02:58 AM 
| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
| spath input=json
| spath input=SYSINFO number_of_subinterfaces
| fields number_of_subinterfaces
| eval keys=json_array_to_mv(json_keys(number_of_subinterfaces),false())
| mvexpand keys
| eval value=json_extract(number_of_subinterfaces,keys)
| fields - _time number_of_subinterfaces

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2025 02:58 AM 
| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
| spath input=json
| spath input=SYSINFO number_of_subinterfaces
| fields number_of_subinterfaces
| eval keys=json_array_to_mv(json_keys(number_of_subinterfaces),false())
| mvexpand keys
| eval value=json_extract(number_of_subinterfaces,keys)
| fields - _time number_of_subinterfaces
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-24-2025 01:04 AM

Or even that :

| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"

|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time
|transpose header_field=column
|rename "row 1" as value, column as keys

🙂

 

0 Karma
Reply
Solved! Jump to solution

shimada-k
Explorer
‎03-23-2025 06:18 AM

Thank you very much, ITWhispere. That works.

0 Karma
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-22-2025 04:20 PM

Is this doing what you're trying to do ?

| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"

|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time

 

Results :

Ethernet110
Ethernet220

 

0 Karma
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-22-2025 04:13 PM

Is your data is exactly like this samble, with all those :

\"

??

0 Karma
Reply
Solved! Jump to solution

catdadof3
Explorer
‎03-22-2025 04:12 PM

Just to clarify - This how the data is coming into your index/source and you're trying to manipulate it via SPL?

It looks something like this only an event vs a table?

catdadof3_0-1742684754431.png

Just checking because I can't tell if this is one long string or an event that has multiple attributes. If it's an event, could you possibly take a screen shot?

It looks like you'd have something where SYSINFO is the top level and each category below is another level. If that's the case, ideally you'd just have SYSINFO.number_of_subinterfaces as a field name you can table.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...