Solved: JSON to table

email2vamsi · ‎03-30-2020

Hello experts,

I would like to display this json to the table mentioned below.
Please help. Thank you.

{"body":[{"srl":"1A","Num":60,"Type":"x1"},
{"srl":"2A","Type":"x2"}],
"date":1585522807308}

srl---Num---Type
~~~~~~~~~~~~
1A---60 ----x1
2A--None---x2

vnravikumar · ‎03-30-2020

Hi

Give a try

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=temp 
| mvexpand temp 
| spath input=temp 
| fillnull value="None" 
| table srl,Num,Type

View solution in original post

vnravikumar · ‎03-30-2020

Hi

Give a try

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=temp 
| mvexpand temp 
| spath input=temp 
| fillnull value="None" 
| table srl,Num,Type

kamlesh_vaghela · ‎03-30-2020

@email2vamsi

Can you please try this?

YOUR_SEARCH  | spath path=body{} output=b |mvexpand b | eval _raw=b | extract | fillnull value="None" | table srl Num Type

Sample Search

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=b |mvexpand b | eval _raw=b | extract | fillnull value="None" | table srl Num Type

Thanks

JSON to table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation