Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse a path request string in json format?

EricMonkeyKing
Explorer
‎12-13-2023 02:04 AM

Hi all,

For this sort of json string, how can I extract KeyA, KeyB, KeyC

{ "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value": "hi" } ], "KeyB": [ { "path": "/attibuteA", "op": "replace", "value": "" }, { "path": "/attibuteC", "op": "replace", "value": "hey" }, { "path": "/attibuteD", "op": "replace", "value": "hello" } ], "KeyC": [ { "path": "/attibuteE", "op": "replace", "value": "" } ] }

 

My ideal output would look like:

Keypathopvalue
KeyAattibuteAreplacehello
KeyAattibuteBreplacehi
KeyBattibuteAreplace 
KeyBattibuteCreplacehey
KeyBattibuteDreplacehello
KeycattibuteEreplace 

 

Many thanks^

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 07:22 AM

Think I was able to get the table in the output you are wanting. 

dtburrows3_0-1702480839496.png


I was able to achieve this using this SPL.

| makeresults
    | eval
        json_object="{ \"KeyA\": [ { \"path\": \"/attibuteA\", \"op\": \"replace\", \"value\": \"hello\" }, { \"path\": \"/attibuteB\", \"op\": \"replace\", \"value\": \"hi\" } ], \"KeyB\": [ { \"path\": \"/attibuteA\", \"op\": \"replace\", \"value\": \"\" }, { \"path\": \"/attibuteC\", \"op\": \"replace\", \"value\": \"hey\" }, { \"path\": \"/attibuteD\", \"op\": \"replace\", \"value\": \"hello\" } ], \"KeyC\": [ { \"path\": \"/attibuteE\", \"op\": \"replace\", \"value\": \"\" } ] }"
    | fields - _time
    | fromjson json_object
    | fields - json_object
    ``` Assuming that your fieldset at this point is only the list of fields needed for your final output ```
    ``` If there are other fields present that are not apart of the json object you are trying to parse then you should set up a naming convention for fields youy want to loop through ```
    | foreach *
        [
            | eval
                all_objects=mvappend(
                    'all_objects',
                    case(
                        isnull('<<FIELD>>'), null(),
                        mvcount('<<FIELD>>')==1, json_set('<<FIELD>>', "Key", "<<FIELD>>"),
                        mvcount('<<FIELD>>')>1, mvmap('<<FIELD>>', json_set('<<FIELD>>', "Key", "<<FIELD>>"))
                        )
                    )
            ]
    | fields + all_objects
    | mvexpand all_objects
    | spath input=all_objects
    | fields - all_objects
    | fields + Key, path, op, value

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 07:22 AM

Think I was able to get the table in the output you are wanting. 

dtburrows3_0-1702480839496.png


I was able to achieve this using this SPL.

| makeresults
    | eval
        json_object="{ \"KeyA\": [ { \"path\": \"/attibuteA\", \"op\": \"replace\", \"value\": \"hello\" }, { \"path\": \"/attibuteB\", \"op\": \"replace\", \"value\": \"hi\" } ], \"KeyB\": [ { \"path\": \"/attibuteA\", \"op\": \"replace\", \"value\": \"\" }, { \"path\": \"/attibuteC\", \"op\": \"replace\", \"value\": \"hey\" }, { \"path\": \"/attibuteD\", \"op\": \"replace\", \"value\": \"hello\" } ], \"KeyC\": [ { \"path\": \"/attibuteE\", \"op\": \"replace\", \"value\": \"\" } ] }"
    | fields - _time
    | fromjson json_object
    | fields - json_object
    ``` Assuming that your fieldset at this point is only the list of fields needed for your final output ```
    ``` If there are other fields present that are not apart of the json object you are trying to parse then you should set up a naming convention for fields youy want to loop through ```
    | foreach *
        [
            | eval
                all_objects=mvappend(
                    'all_objects',
                    case(
                        isnull('<<FIELD>>'), null(),
                        mvcount('<<FIELD>>')==1, json_set('<<FIELD>>', "Key", "<<FIELD>>"),
                        mvcount('<<FIELD>>')>1, mvmap('<<FIELD>>', json_set('<<FIELD>>', "Key", "<<FIELD>>"))
                        )
                    )
            ]
    | fields + all_objects
    | mvexpand all_objects
    | spath input=all_objects
    | fields - all_objects
    | fields + Key, path, op, value
Reply
Solved! Jump to solution

EricMonkeyKing
Explorer
‎12-14-2023 12:42 AM
Much appreciated! It works!
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-14-2023 12:49 AM

Hi @EricMonkeyKing ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-13-2023 02:11 AM

Hi @EricMonkeyKing,

did you configured INDEXED_EXTRACTIONS = json for that sourcetype or used the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath) ?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

EricMonkeyKing
Explorer
‎12-14-2023 12:44 AM
Thanks. I tried but the scenario is a little bit complex ^^
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...