Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Index JSON data

vasanthmss
Motivator
‎12-10-2014 08:51 PM

Hi all,

I would like to index JSON data like this, My ultimate aim is to move the fields(college, university, examdate) to the individual array element and index.

 college=college1    studentname=name1    mark=98    subject=science    university=university1    examdate=10-12-14
 college=college1    studentname=name2    mark=99    subject=science    university=university1    examdate=10-12-14
 college=college2    studentname=name21    mark=80    subject=science    university=university1    examdate=10-12-14
 college=college2    studentname=name22    mark=100    subject=science    university=university1   examdate=10-12-14

Sample JSON,

{
   "studentsmarks": {
     "subject": "science",
     "university": "university1",
     "examdate": "10-12-14"
   },
   "students": [
     {
       "college": "college1",
       "studentname": "name1",
       "mark": "98"
     },
     {
       "college": "college1",
       "studentname": "name2",
       "mark": "99"
     },
     {
       "college": "college2",
       "studentname": "name21",
       "mark": "80"
     },
     {
       "college": "college2",
       "studentname": "name22",
       "mark": "100"
     }
   ]
 }

Cheeerrss!

V
Reply

fdi01
Motivator
‎12-16-2014 02:14 AM

run this search :
| gentimes start=-1 | eval temp="{\"studentsmarks\":{\"subject\":\"science\",\"university\":\"university1\",\"examdate\":\"10-12-14\"},\"students\":[{\"college\":\"college1\",\"studentname\":\"name1\",\"mark\":\"98\"},{\"college\":\"college1\",\"studentname\":\"name2\",\"mark\":\"99\"},{\"college\":\"college2\",\"studentname\":\"name21\",\"mark\":\"80\"},{\"college\":\"college2\",\"studentname\":\"name22\",\"mark\":\"100\"}]}" | table temp | rename temp as _raw | spath | rename students{}.* as * |rename studentsmarks.* as * | eval temp=mvzip(college,mvzip(mark,studentname,"#"),"#") | mvexpand temp | rex field=temp "(?.*)#(?.*)#(?.*)" |table college university examdate | outputcsv your_csv_name

after go to /splunk_home/var/run/splunk/ directry and you shall see your_csv_name.csv ;
Then you Recuper in the directory your csv file and you can index your_csv_name.csv file

0 Karma
Reply

vasanthmss
Motivator
‎12-16-2014 11:02 AM

Hey,

How this will help me? are you ask me to index twice? then what happen to the license?

I would like to handle it in index time.

V
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...