Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Index JSON data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index JSON data
Hi all,
I would like to index JSON data like this, My ultimate aim is to move the fields(college, university, examdate) to the individual array element and index.
college=college1 studentname=name1 mark=98 subject=science university=university1 examdate=10-12-14
college=college1 studentname=name2 mark=99 subject=science university=university1 examdate=10-12-14
college=college2 studentname=name21 mark=80 subject=science university=university1 examdate=10-12-14
college=college2 studentname=name22 mark=100 subject=science university=university1 examdate=10-12-14
Sample JSON,
{
"studentsmarks": {
"subject": "science",
"university": "university1",
"examdate": "10-12-14"
},
"students": [
{
"college": "college1",
"studentname": "name1",
"mark": "98"
},
{
"college": "college1",
"studentname": "name2",
"mark": "99"
},
{
"college": "college2",
"studentname": "name21",
"mark": "80"
},
{
"college": "college2",
"studentname": "name22",
"mark": "100"
}
]
}
Cheeerrss!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
run this search :
| gentimes start=-1 | eval temp="{\"studentsmarks\":{\"subject\":\"science\",\"university\":\"university1\",\"examdate\":\"10-12-14\"},\"students\":[{\"college\":\"college1\",\"studentname\":\"name1\",\"mark\":\"98\"},{\"college\":\"college1\",\"studentname\":\"name2\",\"mark\":\"99\"},{\"college\":\"college2\",\"studentname\":\"name21\",\"mark\":\"80\"},{\"college\":\"college2\",\"studentname\":\"name22\",\"mark\":\"100\"}]}" | table temp | rename temp as _raw | spath | rename students{}.* as * |rename studentsmarks.* as * | eval temp=mvzip(college,mvzip(mark,studentname,"#"),"#") | mvexpand temp | rex field=temp "(?.*)#(?.*)#(?.*)" |table college university examdate | outputcsv your_csv_name
after go to /splunk_home/var/run/splunk/ directry and you shall see your_csv_name.csv ;
Then you Recuper in the directory your csv file and you can index your_csv_name.csv file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
How this will help me? are you ask me to index twice? then what happen to the license?
I would like to handle it in index time.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
