Splunk Search

How to split nested json objects?

jcw1407
Engager

I have JSON that is really an array of values but has been encoded as objects, something like this

 

{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
} 

 

I can display this in a table by iterating using foreach, but what I really want to do is search for events where max > 400000, and then display it with the name of the timer - so in above that would match foo_timer.  The names of the timer can be anything and the order is not guaranteed.

I've tried all sorts today and keep coming up short.

Labels (1)
Tags (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703

View solution in original post

Tags (1)

yuanliu
SplunkTrust
SplunkTrust

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703
Tags (1)
Get Updates on the Splunk Community!

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...