Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use mvindex to break json file with mul...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rczone
Path Finder
08-30-2021
12:48 PM
Hello All,
So i have a field like below with JSON file
{"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "ZZZ", "group": "", "instance": "PQ1", "job_names": ["ZZZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }}
Im using below query to break down the JSON file above
All the fields count,app_code, group, instance are getting as expected but for job_names im unable to break down and that particular attrbute has a list of jobs underneath it
Im looking for a query to get jobnames also
<<mysearch>>| spath input=results|rename unique_appcodes{}.* as * | eval x = mvzip(count,mvzip(app_code,mvzip(group,mvzip(instance,mvzip(instance,job_names))))) | mvexpand x | eval x = split(x, ",")| eval job_count=mvindex(x,0), app_code = mvindex(x,1) ,group=mvindex(x,2), instance = mvindex(x,3),job_names = mvindex(x,4) |table app_code job_count group instance job_names
Expected output
app_code count group instance job_names
XYZ 2 PQ1 XYZ#cmd#johntest1,XYZ#cmd#remetest
ZZZ 2 ABC1234 PQ2 ZZZ#ADM#cmd#pac,ZZZ#cmd#GET_APP_CODE
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
08-31-2021
10:32 PM
Can you please try this?
YOUR_SEARCH
| kv
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
| eval n=1 | accum n | eventstats max(n) as mn by app_code
| where n=mn
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
My Sample Search :
| makeresults
| eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"ZZZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}"
| kv
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
| eval n=1 | accum n | eventstats max(n) as mn by app_code
| where n=mn
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
My Sample Event.
{
"results_appcodes": [{
"count": 2,
"app_code": "XYZ",
"group": "",
"instance": "PQ1",
"job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]
}, {
"count": 2,
"app_code": "ZZZ",
"group": "ABC1234",
"instance": "PQ1",
"job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]
}, {
"count": 1,
"app_code": "ZZZ",
"group": "",
"instance": "PQ1",
"job_names": ["ZZZ#cmd#mila3098"]
}, {
"count": 192,
"app_code": "GKU",
"group": "CAD45678",
"instance": "PQ1",
"job_names": [
["ZZZ#cmd#test123"],
["ZZZ#cmd#test890"],
["ZZZ#cmd#gola456"],
["ZZZ#cmd#test9990"]
]
}]
}
You can changes the search incase variation in event 🙂
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
08-31-2021
10:32 PM
Can you please try this?
YOUR_SEARCH
| kv
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
| eval n=1 | accum n | eventstats max(n) as mn by app_code
| where n=mn
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
My Sample Search :
| makeresults
| eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"ZZZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}"
| kv
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
| eval n=1 | accum n | eventstats max(n) as mn by app_code
| where n=mn
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
My Sample Event.
{
"results_appcodes": [{
"count": 2,
"app_code": "XYZ",
"group": "",
"instance": "PQ1",
"job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]
}, {
"count": 2,
"app_code": "ZZZ",
"group": "ABC1234",
"instance": "PQ1",
"job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]
}, {
"count": 1,
"app_code": "ZZZ",
"group": "",
"instance": "PQ1",
"job_names": ["ZZZ#cmd#mila3098"]
}, {
"count": 192,
"app_code": "GKU",
"group": "CAD45678",
"instance": "PQ1",
"job_names": [
["ZZZ#cmd#test123"],
["ZZZ#cmd#test890"],
["ZZZ#cmd#gola456"],
["ZZZ#cmd#test9990"]
]
}]
}
You can changes the search incase variation in event 🙂
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rczone
Path Finder
09-01-2021
11:57 AM
@kamlesh_vaghela Thankyou so much it worked most of the part for me its truncating job_names with count 1 if the job_names is duplicate
here is my sample json file -- XYZ job_names has 2 records i it ,with count 2 and count 1 respectively in this case XYZ is only displayed once in output but i have to get 2 rows for XYZ
{"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
09-01-2021
10:40 PM
It looks some variations in JSON event.
Can you please try these two options?
1)
YOUR_SEARCH
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
My Sample Search :
| makeresults
| eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}"
| kv
| spath path=results_appcodes{} output=results_appcodes
| stats count by results_appcodes |fields - count
| rename results_appcodes as _raw
| kv
| eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}')
| fields - "job_names{*"
|table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")
2)
YOUR_SEARCH
| eval data = split(_raw,"}, {") | stats count by data
| rex field=data "\"count\":\s(?<count>\d+),\s\"app_code\":\s\"(?<app_code>[^,]+)\",\s\"group\"\:\s\"(?<group>[^,]*)\",\s\"instance\"\:\s\"(?<instance>[^,]+)\",\s\"job_names\":\s(?<job_names>.*)"
| rex field=job_names "\[?\"(?<job_names>[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",")
|table app_code count group instance job_names
My Sample Search :
| makeresults
| eval _raw="{\"results_appcodes\": [{\"count\": 2, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2, \"app_code\": \"ZZZ\", \"group\": \"ABC1234\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192, \"app_code\": \"GKU\", \"group\": \"CAD45678\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#cmd#test123\"] ,[\"ZZZ#cmd#test890\"], [\"ZZZ#cmd#gola456\"], [\"ZZZ#cmd#test9990\"] }}"
| eval data = split(_raw,"}, {") | stats count by data
| rex field=data "\"count\":\s(?<count>\d+),\s\"app_code\":\s\"(?<app_code>[^,]+)\",\s\"group\"\:\s\"(?<group>[^,]*)\",\s\"instance\"\:\s\"(?<instance>[^,]+)\",\s\"job_names\":\s(?<job_names>.*)"
| rex field=job_names "\[?\"(?<job_names>[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",")
|table app_code count group instance job_names
I hope this will help you with your all type of events. 🙂
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-31-2021
01:45 AM
Try something like this
| spath result_appcodes{} output=result_appcodes
| mvexpand result_appcodes
| spath input=result_appcodes - Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rczone
Path Finder
08-31-2021
06:44 AM
Thankyou...but im looking to split the values individually as i need them to use further in my query...with jso spath split we cant use the values as individually
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
09-01-2021
01:25 AM
Can you give an example of what you get from this search and what further it needs to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rczone
Path Finder
08-30-2021
12:49 PM
@ITWhisperer any inputs @kamlesh_vaghela
Get Updates on the Splunk Community!
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!
Hello there, Splunk ...
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...
