Solved: Re: How to split Json array using Splunk Search co...

ajayabburi508 · ‎02-16-2018

My Query is :

|inputlookup geo_jj | eval types = "{\"geom\": " + geom + "}" | spath input=types

i got output in geom column is :

geom

{"type":"MultiPolygon","coordinates":[[[[-105.8203125,31.052934646606445],[-105.8203125,48.806861877441406],[-88.06640625,48.806861877441406],[-88.06640625,31.052934646606445],[-105.8203125,31.052934646606445]]]]}

But i want output like this

value1 value2
-105.8203125 31.052934646606445
-105.8203125 48.806861877441406
-88.06640625 48.806861877441406
-88.06640625 31.052934646606445
-105.8203125 31.052934646606445

Please help me for this

493669 · ‎02-17-2018

Hi @ajayabburi508,
try this regex:

|rex max_match=0 field=geom "\[(?<value1>-[^,]+),(?<value2>[^]]+)"

after this to separate multivalue fields you can try :

|eval combined=mvzip(value1,value2)| mvexpand combined
 | makemv combined delim=","  
|eval lat=mvindex(combined,0), lon=mvindex(combined,1)

View solution in original post

493669 · ‎02-17-2018

Hi @ajayabburi508,
try this regex:

|rex max_match=0 field=geom "\[(?<value1>-[^,]+),(?<value2>[^]]+)"

after this to separate multivalue fields you can try :

|eval combined=mvzip(value1,value2)| mvexpand combined
 | makemv combined delim=","  
|eval lat=mvindex(combined,0), lon=mvindex(combined,1)

ajayabburi508 · ‎02-17-2018

Thanks 493669 alot ,it is working good

493669 · ‎02-17-2018

Glad to help:) please accept the answer so that it will no longer open.

ajayabburi508 · ‎02-17-2018

Accepted bro

How to split Json array using Splunk Search commands??

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation