Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse json into rows?

maayan
Path Finder
‎04-30-2023 06:11 AM

Hi,

I have issue similar to: https://community.splunk.com/t5/Getting-Data-In/how-to-split-the-json-array-into-multiple-new-events...
But my case is a bit different.

json structure:
{
"MetaData": {
"Host Name": "....",
"Wi-Fi Driver Version": "..."
},
"Payloads": [
{
"Header": {
"Type": "Event",
"Name": "...",
"TimeStamp": ...
},
"Payload": {
"MAC Address": "00:00:00:00:00:00",
"Network Adapter Type": ...
}
},
{
]
}

i need to:
1. extract table contain the following columns : MetaData.host name,MetaData.Wi-Fi Driver Version,Header.Type, Header.Name,Payload.MAC Address,Payload.Network Adapter Type

2. i expected to see 2 rows in this case

3. the fields name under MetaData,Header and Payload can changed, so it's should be generic.


I have started to write something like that- but it's not generic (type,name,..) and it doesn't extract the meta data:
| spath input=json output=payloadsObjects path=Payloads{}
| mvexpand payloadsObjects
| spath input=payloadsObjects output=Type path=Header.Type
| spath input=payloadsObjects output=Name path=Header.Name
| table *

 

json as example to use:
| makeresults
| eval _raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"99.0.100.4\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Adapter Type\": 140 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"Connection success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131, \"Address\": \"0000:0:0000:000:000:df:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server\": [], \"DHCP Server\": null, \"DHCP Lease Duration\": 000000000, \"DHCP Retrieval Time\": 0 } } ] }"

May I get your help please?

*note- nice to have also solution that doesn't use makeresult because it made me problem to find Payloads{} field when i used real json file in my report and not makeresult.
*note 2- need to take time performance into consideration

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-30-2023 02:54 PM

It's great that you not only illustrate data, but offer makeresults emulation.  This helps a lot.  Let me first point to the solution:

| spath path=Payloads{}.Payload
| mvexpand Payloads{}.Payload
``` | rename Payload{}.Payload Payload ```

(I added a rename in comment in case you want to use a field name without citing the full path.)

I want to circle back to the data illustration.  The sample makeresults unfortunately did not produce valid JSON.  This is what I suspected is a valid emulation of your real data:

| makeresults
| eval _raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"99.0.100.4\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Adapter Type\": 140 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"Connection success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131} }], \"Address\": \"0000:0:0000:000:000:df:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server\": [], \"DHCP Server\": null, \"DHCP Lease Duration\": 0, \"DHCP Retrieval Time\": 0 }"
```| eval valid = if(json_valid(_raw), "true", "false")```

The emulation gives this:

{ "MetaData": { "Host Name": "maya-MOBL", "Driver Version": "99.0.100.4" }, "Payloads": [ { "Header": { "Type": "Event", "Name": "IP Disconnection", "TimeStamp": 133265876804261336 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Adapter Type": 140 } }, { "Header": { "Type": "Event", "Name": "Connection success", "TimeStamp": 133265877087374706 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Network Adapter Type": 131} }], "Address": "0000:0:0000:000:000:df:0000:0000", "Prefix Length": 64, "Is Local Address": false, "Gateway IP Address": "::", "DNS Server": [], "DHCP Server": null, "DHCP Lease Duration": 0, "DHCP Retrieval Time": 0 }

Hope this helps

0 Karma
Reply

mph
Loves-to-Learn
‎05-01-2023 02:17 AM

Hi,

Thanks for your help. Regarding the invalid json- it's ChatGPT fault, not mine sorry 🙂

Here is an updated json:
{ "MetaData": { "Host Name": "maya-MOBL", "Driver Version": "0.0.0.0" }, "Payloads": [ { "Header": { "Type": "Event", "Name": "IP Disconnection", "TimeStamp": 133265876804261336 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Network Adapter Type": 131 } }, { "Header": { "Type": "Event", "Name": "conn success", "TimeStamp": 133265877087374706 }, "Payload": { "MAC Address": "00:00:00:00:00:10", "Network Adapter Type": 131, "IPv6 Address": "0000:0:0000:000:000:00:0000:0000", "Prefix Length": 64, "Is Local Address": false, "Gateway IP Address": "::", "DNS Server IP Address": [ ], "DHCP Server": null, "DHCP Lease Duration": 4294967295, "DHCP Retrieval Time": 0 } } ] }

makeresult format:
_raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"0.0.0.0\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"conn success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:10\", \"Network Adapter Type\": 131, \"IPv6 Address\": \"0000:0:0000:000:000:00:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server IP Address\": [ ], \"DHCP Server\": null, \"DHCP Lease Duration\": 4294967295, \"DHCP Retrieval Time\": 0 } } ] }"

I expect to see the result like this(contained all the columns of Payload, MetaData and Header),I haven't succeed yet:

mph_2-1682932542768.png

Thanks a lot,

Maayan

 

0 Karma
Reply

maayan
Path Finder
‎04-30-2023 06:18 AM

*I would explain that: Payloads is an array of Events.
Each Event is divided to Header and Payload. Fields under Payload and Header can be changed (therefore it should be generic).
As i said- Meta data fields also need to be extracted. they are also generic.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top