Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse json into rows?

maayan
Path Finder
‎04-30-2023 06:11 AM

Hi,

I have issue similar to: https://community.splunk.com/t5/Getting-Data-In/how-to-split-the-json-array-into-multiple-new-events...
But my case is a bit different.

json structure:
{
"MetaData": {
"Host Name": "....",
"Wi-Fi Driver Version": "..."
},
"Payloads": [
{
"Header": {
"Type": "Event",
"Name": "...",
"TimeStamp": ...
},
"Payload": {
"MAC Address": "00:00:00:00:00:00",
"Network Adapter Type": ...
}
},
{
]
}

i need to:
1. extract table contain the following columns : MetaData.host name,MetaData.Wi-Fi Driver Version,Header.Type, Header.Name,Payload.MAC Address,Payload.Network Adapter Type

2. i expected to see 2 rows in this case

3. the fields name under MetaData,Header and Payload can changed, so it's should be generic.


I have started to write something like that- but it's not generic (type,name,..) and it doesn't extract the meta data:
| spath input=json output=payloadsObjects path=Payloads{}
| mvexpand payloadsObjects
| spath input=payloadsObjects output=Type path=Header.Type
| spath input=payloadsObjects output=Name path=Header.Name
| table *

 

json as example to use:
| makeresults
| eval _raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"99.0.100.4\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Adapter Type\": 140 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"Connection success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131, \"Address\": \"0000:0:0000:000:000:df:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server\": [], \"DHCP Server\": null, \"DHCP Lease Duration\": 000000000, \"DHCP Retrieval Time\": 0 } } ] }"

May I get your help please?

*note- nice to have also solution that doesn't use makeresult because it made me problem to find Payloads{} field when i used real json file in my report and not makeresult.
*note 2- need to take time performance into consideration

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-30-2023 02:54 PM

It's great that you not only illustrate data, but offer makeresults emulation.  This helps a lot.  Let me first point to the solution:

| spath path=Payloads{}.Payload
| mvexpand Payloads{}.Payload
``` | rename Payload{}.Payload Payload ```

(I added a rename in comment in case you want to use a field name without citing the full path.)

I want to circle back to the data illustration.  The sample makeresults unfortunately did not produce valid JSON.  This is what I suspected is a valid emulation of your real data:

| makeresults
| eval _raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"99.0.100.4\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Adapter Type\": 140 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"Connection success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131} }], \"Address\": \"0000:0:0000:000:000:df:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server\": [], \"DHCP Server\": null, \"DHCP Lease Duration\": 0, \"DHCP Retrieval Time\": 0 }"
```| eval valid = if(json_valid(_raw), "true", "false")```

The emulation gives this:

{ "MetaData": { "Host Name": "maya-MOBL", "Driver Version": "99.0.100.4" }, "Payloads": [ { "Header": { "Type": "Event", "Name": "IP Disconnection", "TimeStamp": 133265876804261336 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Adapter Type": 140 } }, { "Header": { "Type": "Event", "Name": "Connection success", "TimeStamp": 133265877087374706 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Network Adapter Type": 131} }], "Address": "0000:0:0000:000:000:df:0000:0000", "Prefix Length": 64, "Is Local Address": false, "Gateway IP Address": "::", "DNS Server": [], "DHCP Server": null, "DHCP Lease Duration": 0, "DHCP Retrieval Time": 0 }

Hope this helps

0 Karma
Reply

mph
Loves-to-Learn
‎05-01-2023 02:17 AM

Hi,

Thanks for your help. Regarding the invalid json- it's ChatGPT fault, not mine sorry 🙂

Here is an updated json:
{ "MetaData": { "Host Name": "maya-MOBL", "Driver Version": "0.0.0.0" }, "Payloads": [ { "Header": { "Type": "Event", "Name": "IP Disconnection", "TimeStamp": 133265876804261336 }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Network Adapter Type": 131 } }, { "Header": { "Type": "Event", "Name": "conn success", "TimeStamp": 133265877087374706 }, "Payload": { "MAC Address": "00:00:00:00:00:10", "Network Adapter Type": 131, "IPv6 Address": "0000:0:0000:000:000:00:0000:0000", "Prefix Length": 64, "Is Local Address": false, "Gateway IP Address": "::", "DNS Server IP Address": [ ], "DHCP Server": null, "DHCP Lease Duration": 4294967295, "DHCP Retrieval Time": 0 } } ] }

makeresult format:
_raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"0.0.0.0\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"conn success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:10\", \"Network Adapter Type\": 131, \"IPv6 Address\": \"0000:0:0000:000:000:00:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server IP Address\": [ ], \"DHCP Server\": null, \"DHCP Lease Duration\": 4294967295, \"DHCP Retrieval Time\": 0 } } ] }"

I expect to see the result like this(contained all the columns of Payload, MetaData and Header),I haven't succeed yet:

mph_2-1682932542768.png

Thanks a lot,

Maayan

 

0 Karma
Reply

maayan
Path Finder
‎04-30-2023 06:18 AM

*I would explain that: Payloads is an array of Events.
Each Event is divided to Header and Payload. Fields under Payload and Header can be changed (therefore it should be generic).
As i said- Meta data fields also need to be extracted. they are also generic.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...