Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index JSON data

vasanthmss
Motivator
‎12-10-2014 08:51 PM

Hi all,

I would like to index JSON data like this, My ultimate aim is to move the fields(college, university, examdate) to the individual array element and index.

 college=college1    studentname=name1    mark=98    subject=science    university=university1    examdate=10-12-14
 college=college1    studentname=name2    mark=99    subject=science    university=university1    examdate=10-12-14
 college=college2    studentname=name21    mark=80    subject=science    university=university1    examdate=10-12-14
 college=college2    studentname=name22    mark=100    subject=science    university=university1   examdate=10-12-14

Sample JSON,

{
   "studentsmarks": {
     "subject": "science",
     "university": "university1",
     "examdate": "10-12-14"
   },
   "students": [
     {
       "college": "college1",
       "studentname": "name1",
       "mark": "98"
     },
     {
       "college": "college1",
       "studentname": "name2",
       "mark": "99"
     },
     {
       "college": "college2",
       "studentname": "name21",
       "mark": "80"
     },
     {
       "college": "college2",
       "studentname": "name22",
       "mark": "100"
     }
   ]
 }

Cheeerrss!

V
Reply

fdi01
Motivator
‎12-16-2014 02:14 AM

run this search :
| gentimes start=-1 | eval temp="{\"studentsmarks\":{\"subject\":\"science\",\"university\":\"university1\",\"examdate\":\"10-12-14\"},\"students\":[{\"college\":\"college1\",\"studentname\":\"name1\",\"mark\":\"98\"},{\"college\":\"college1\",\"studentname\":\"name2\",\"mark\":\"99\"},{\"college\":\"college2\",\"studentname\":\"name21\",\"mark\":\"80\"},{\"college\":\"college2\",\"studentname\":\"name22\",\"mark\":\"100\"}]}" | table temp | rename temp as _raw | spath | rename students{}.* as * |rename studentsmarks.* as * | eval temp=mvzip(college,mvzip(mark,studentname,"#"),"#") | mvexpand temp | rex field=temp "(?.*)#(?.*)#(?.*)" |table college university examdate | outputcsv your_csv_name

after go to /splunk_home/var/run/splunk/ directry and you shall see your_csv_name.csv ;
Then you Recuper in the directory your csv file and you can index your_csv_name.csv file

0 Karma
Reply

vasanthmss
Motivator
‎12-16-2014 11:02 AM

Hey,

How this will help me? are you ask me to index twice? then what happen to the license?

I would like to handle it in index time.

V
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...