Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse JSON List

srajabi
Engager
‎09-19-2023 05:35 PM

Hey I have the following query:

 

```

| makeresults | eval prediction_str_body="[{'stringOutput':'Alpha','doubleOutput':0.52},{'stringOutput':'Beta','doubleOutput':0.48}]"

```

 

But no matter what I do, I can't seem to extract each element of the list and turn it into it's own event.

I'd ideally like a table afterwards of the sum of each value:

Alpha: 0.52
Beta: 0.48

For all rows.

Thanks!

Labels (1)
Labels
0 Karma
Reply

srajabi
Engager
‎09-19-2023 06:57 PM

Ah wonderful, thanks so much!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-19-2023 06:03 PM

Pro tip: It is great that you are using makeresults to post simulation.  But do not mangle JSON.

The command you are looking for is mvexpand.

 

| makeresults | eval prediction_str_body="[{\"stringOutput\":\"Alpha\",\"doubleOutput\":0.52},{\"stringOutput\":\"Beta\",\"doubleOutput\":0.48}]"
| spath input=prediction_str_body path={}
| mvexpand {}
| spath input={}

 

Your sample gives

doubleOutputstringOutput{}
0.48Beta{"stringOutput":"Beta","doubleOutput":0.48}

Hope this helps.

Tags (1)
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...