Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split nested json objects?

jcw1407
Engager
‎02-10-2022 01:48 AM

I have JSON that is really an array of values but has been encoded as objects, something like this

 

{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

I can display this in a table by iterating using foreach, but what I really want to do is search for events where max > 400000, and then display it with the name of the timer - so in above that would match foo_timer.  The names of the timer can be anything and the order is not guaranteed.

I've tried all sorts today and keep coming up short.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703
Tags (1)
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...