Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split nested json objects?

jcw1407
Engager
‎02-10-2022 01:48 AM

I have JSON that is really an array of values but has been encoded as objects, something like this

 

{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

I can display this in a table by iterating using foreach, but what I really want to do is search for events where max > 400000, and then display it with the name of the timer - so in above that would match foo_timer.  The names of the timer can be anything and the order is not guaranteed.

I've tried all sorts today and keep coming up short.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703
Tags (1)
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...