Solved: JSON to table

email2vamsi · ‎03-30-2020

Hello experts,

I would like to display this json to the table mentioned below.
Please help. Thank you.

{"body":[{"srl":"1A","Num":60,"Type":"x1"},
{"srl":"2A","Type":"x2"}],
"date":1585522807308}

srl---Num---Type
~~~~~~~~~~~~
1A---60 ----x1
2A--None---x2

vnravikumar · ‎03-30-2020

Hi

Give a try

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=temp 
| mvexpand temp 
| spath input=temp 
| fillnull value="None" 
| table srl,Num,Type

View solution in original post

vnravikumar · ‎03-30-2020

Hi

Give a try

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=temp 
| mvexpand temp 
| spath input=temp 
| fillnull value="None" 
| table srl,Num,Type

kamlesh_vaghela · ‎03-30-2020

@email2vamsi

Can you please try this?

YOUR_SEARCH  | spath path=body{} output=b |mvexpand b | eval _raw=b | extract | fillnull value="None" | table srl Num Type

Sample Search

| makeresults 
| eval _raw="{\"body\":[{\"srl\":\"1A\",\"Num\":60,\"Type\":\"x1\"},{\"srl\":\"2A\",\"Type\":\"x2\"}],\"date\":\"1585522807308\"}" 
| spath path=body{} output=b |mvexpand b | eval _raw=b | extract | fillnull value="None" | table srl Num Type

Thanks

JSON to table

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All