Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract value with dynamic key name

shimada-k
Explorer
‎03-22-2025 03:10 PM

Hi Experts,

I have the following data. 

{
"TIMESTAMP": 1742677200,
"SYSINFO": "{\"number_of_notconnect_interfaces\":0,\"hostname\":\"test\",\"number_of_transceivers\":{\"10G-LR\":10,\"100G-CWDM4\":20},\"number_of_bfd_peers\":10,\"number_of_bgp_peers\":10,\"number_of_disabled_interfaces\":10,\"number_of_subinterfaces\":{\"Ethernet1\":10,\"Ethernet2\":20},\"number_of_up_interfaces\":1}"
}

I would like to create the table as below, but Ethernet1 or Ethernet2 is a dynamic key (it can be like Ethernet3 or Ethernet4).

Ethernet110
Ethernet220

 

Could someone tell me how to write query to achieve this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2025 02:58 AM 
| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
| spath input=json
| spath input=SYSINFO number_of_subinterfaces
| fields number_of_subinterfaces
| eval keys=json_array_to_mv(json_keys(number_of_subinterfaces),false())
| mvexpand keys
| eval value=json_extract(number_of_subinterfaces,keys)
| fields - _time number_of_subinterfaces

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2025 02:58 AM 
| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
| spath input=json
| spath input=SYSINFO number_of_subinterfaces
| fields number_of_subinterfaces
| eval keys=json_array_to_mv(json_keys(number_of_subinterfaces),false())
| mvexpand keys
| eval value=json_extract(number_of_subinterfaces,keys)
| fields - _time number_of_subinterfaces
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-24-2025 01:04 AM

Or even that :

| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"

|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time
|transpose header_field=column
|rename "row 1" as value, column as keys

🙂

 

0 Karma
Reply
Solved! Jump to solution

shimada-k
Explorer
‎03-23-2025 06:18 AM

Thank you very much, ITWhispere. That works.

0 Karma
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-22-2025 04:20 PM

Is this doing what you're trying to do ?

| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"

|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time

 

Results :

Ethernet110
Ethernet220

 

0 Karma
Reply
Solved! Jump to solution

gargantua
Path Finder
‎03-22-2025 04:13 PM

Is your data is exactly like this samble, with all those :

\"

??

0 Karma
Reply
Solved! Jump to solution

catdadof3
Explorer
‎03-22-2025 04:12 PM

Just to clarify - This how the data is coming into your index/source and you're trying to manipulate it via SPL?

It looks something like this only an event vs a table?

catdadof3_0-1742684754431.png

Just checking because I can't tell if this is one long string or an event that has multiple attributes. If it's an event, could you possibly take a screen shot?

It looks like you'd have something where SYSINFO is the top level and each category below is another level. If that's the case, ideally you'd just have SYSINFO.number_of_subinterfaces as a field name you can table.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...