Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse my json

jerrytao
Engager
‎07-18-2024 01:42 AM

With specific query, I can get below value for one field:

{
    "key1": {
        "field1": x
    },
    "key2": {
        "field2": xx
    },
    "key3": {
        "field3": xxx
    }
}
 
Every time, the string of key1,2,3 are different, and the string of field1,2,3 are also different, even the number of key is different for each query, it may eixst key4, key5...
 
Now I want to get below table, could someone help on this? Thanks.
Name AName B
key1field1
key2field2
key3field3
......
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:30 AM

Here is a runanywhere example showing it working

| makeresults format=json data="[{
    \"key 1\": {
        \"field1\": \"x\"
    },
    \"a.b.c:d-1.0.0\": {
        \"field2\": \"xx\"
    },
    \"key3\": {
        \"field3\": \"xxx\"
    }
}]"
| rename _raw as field
| table field
| eval Name_A=json_array_to_mv(json_keys(field))
| mvexpand Name_A
| eval Name_B=json_array_to_mv(json_keys(json_extract_exact(field,Name_A)))

What else can you tell us about the key names?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-18-2024 11:56 AM

An easier, and perhaps more semantic method is to use JSON functions introduced in 8.1 to restructure data. (As we have seen before, you have developers who overload JSON's key name to convey data, which is never a good thing.  If you have any influence on them, maybe ask them to change structure before it reaches data consumer.)

With the data you illustrated, Splunk would have given you fields like key1.field1, key2.field2.  Iterate over them using foreach.

 

| foreach *.*
    [eval temp = json_object(), temp = json_set(temp, "Name A", "<<MATCHSEG1>>", "Name B", "<<MATCHSEG2>>", "Value", '<<FIELD>>'),
    reformat = mvappend(reformat, temp)]
| mvexpand reformat
| spath input=reformat
| fields - _* key* temp

 

 Your example results in

Name AName BValuereformat
key1field1x{"Name A":"key1","Name B":"field1","Value":"x"}
key2field2xx{"Name A":"key2","Name B":"field2","Value":"xx"}
key3field3xxx{"Name A":"key3","Name B":"field3","Value":"xxx"}

Here is an emulation you can play with and compare with real data

 

| makeresults
| eval _raw="{
    \"key1\": {
        \"field1\": \"x\"
    },
    \"key2\": {
        \"field2\": \"xx\"
    },
    \"key3\": {
        \"field3\": \"xxx\"
    }
}"
| spath
``` data emulation above ```

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 01:58 AM 
| eval Name_A=json_array_to_mv(json_keys(field))
| mvexpand Name_A
| eval Name_B=json_array_to_mv(json_keys(json_extract(field,Name_A)))
0 Karma
Reply
Solved! Jump to solution

jerrytao
Engager
‎07-18-2024 02:44 AM

Thanks, I can get the Name_A, but Name_B is null...

jerrytao_0-1721295863449.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 03:07 AM

OK the method works with some data as shown by this runanywhere example based on your sample data:

| makeresults format=json data="[{
    \"key1\": {
        \"field1\": \"x\"
    },
    \"key2\": {
        \"field2\": \"xx\"
    },
    \"key3\": {
        \"field3\": \"xxx\"
    }
}]"
| rename _raw as field
| table field
| eval Name_A=json_array_to_mv(json_keys(field))
| mvexpand Name_A
| eval Name_B=json_array_to_mv(json_keys(json_extract(field,Name_A)))

This would seem to suggest that it is something to do with your actual data, which you have hidden. Please provide some anonymised representative samples so we can progress the solution.

0 Karma
Reply
Solved! Jump to solution

jerrytao
Engager
‎07-18-2024 03:27 AM

Below is the sample for the field "NotExportedParameters".

jerrytao_0-1721298211277.png

The hidden part are not fixed string, it can be different every time. 

What I want to get is as below:

hidden partreason
part1ValueOutOfRange
part2ValueOutOfRange
.....
part 6SchemaValidation
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 03:55 AM

Your field names possibly have dots in them? Try this way

| eval Name_B=json_array_to_mv(json_keys(json_extract_exact(field,Name_A)))
0 Karma
Reply
Solved! Jump to solution

jerrytao
Engager
‎07-18-2024 04:03 AM

It still doesn't work.

Yes, It has dot, the pattern for Name_A is like below:

a.b.c:d-x.0.0

x is number 1/2/3

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:30 AM

Here is a runanywhere example showing it working

| makeresults format=json data="[{
    \"key 1\": {
        \"field1\": \"x\"
    },
    \"a.b.c:d-1.0.0\": {
        \"field2\": \"xx\"
    },
    \"key3\": {
        \"field3\": \"xxx\"
    }
}]"
| rename _raw as field
| table field
| eval Name_A=json_array_to_mv(json_keys(field))
| mvexpand Name_A
| eval Name_B=json_array_to_mv(json_keys(json_extract_exact(field,Name_A)))

What else can you tell us about the key names?

0 Karma
Reply
Solved! Jump to solution

jerrytao
Engager
‎07-18-2024 08:19 PM
Thank you, I figure it out.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...