Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split nested json objects?

jcw1407
Engager
‎02-10-2022 01:48 AM

I have JSON that is really an array of values but has been encoded as objects, something like this

 

{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

I can display this in a table by iterating using foreach, but what I really want to do is search for events where max > 400000, and then display it with the name of the timer - so in above that would match foo_timer.  The names of the timer can be anything and the order is not guaranteed.

I've tried all sorts today and keep coming up short.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-11-2022 12:58 AM

Any day JSON structure is concerned, I'll take array formulated as objects rather than objects formulated as array.  See if foreach produces something useful:

 

| rename metrics.timers.*.max as max_*
| fields max_* ``` just to clean view, not part of calculation ```
| foreach max_*
    [| eval maxfield = mvappend(maxfield, if(<<FIELD>> > 400000, "<<FIELD>>=" . <<FIELD>>, null()))]
| fields - max_*, _raw ``` again, just to clean view ```

 

Note the above is just to produce a singular field named  maxfield to carry the information you wanted in the a readable format.  For two events like

 

Event 1:
{ "metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452603,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer":
         {
            "count": 1,
            "max": 367110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}
---
Event 2:
{"metrics": 
  { "timers" : 
     { "foo_timer":
         {
           "count": 1,
           "max": 452703,
           "mean": 452603,
           "min": 452603
         },
       "bar_some_other_timer2":
         {
            "count": 1,
            "max": 467110,
            "mean": 367110,
            "min": 367110
          }
     }
   }
}

 

the output will be

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

You can operate on maxfield any way you like.  For example, you can add "| mvexpand mvfield" to produce

_timemaxfield
2022-02-11 00:55:01max_foo_timer=452603
2022-02-11 01:00:01
max_bar_some_other_timer2=467110
max_foo_timer=452703

or even "| mvexpand maxfield | rename maxfield as _raw | kv kvdelim="=" | rename _raw as maxfield" to produce

maxfield_timemax_bar_some_other_timer2max_foo_timer
max_foo_timer=4526032022-02-11 00:48:16 452603
max_bar_some_other_timer2=4671102022-02-11 00:53:16467110 
max_foo_timer=4527032022-02-11 00:53:16 452703
Tags (1)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...