Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Nested JSON (Returns Empty)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nested JSON (Returns Empty)
morgantay96
Path Finder
08-23-2021
06:34 PM
Hi All,
Have a search that is not returning what I would like. Need to unest some JSON but having issues.
Here is an example of the JSON
{"configuration": {"targetResourceType": "AWS::EC2::Volume", "targetResourceId": "resource123", "configRuleList": [{"configRuleId": "config1", "configRuleArn": "removed", "configRuleName": "config1rule", "complianceType": "COMPLIANT"}, {"configRuleId": "config2", "configRuleArn": "removed", "configRuleName": "config2rule", "complianceType": "COMPLIANT"}, {"configRuleId": "config3", "configRuleArn": "removed", "configRuleName": "config3rule", "complianceType": "NON_COMPLIANT"}], "complianceType": "NON_COMPLIANT"}, "configurationItemStatus": "OK", "configurationStateId": 11111111, "configurationStateMd5Hash": "", "supplementaryConfiguration": {}, "resourceId": "AWS::EC2::Volume/resource123", "resourceType": "AWS::Config::ResourceCompliance", "relatedEvents": [], "tags": {}, "relationships": [{"resourceType": "AWS::EC2::Volume", "name": "Is associated with ", "resourceId": "resource123"}], "configurationItemVersion": "1.3", "configurationItemCaptureTime": "2021-01-23T06:28:07.415Z", "awsAccountId": "removed", "awsRegion": "removed"}
Here is the logic I am using
MY SEARCH
| spath configuration{} output=configuration
| stats count by resourceId configuration
| eval _raw=configuration
| spath configRuleList{} output=configRuleList
| stats count by resourceId configuration configRuleList
| eval _raw=configRuleList | spath complianceType output=complianceType | spath configRuleArn output=configRuleArn | spath configRuleId output=configRuleId | spath configRuleName output=configRuleName
| table resourceId compianceType configRuleArn configRuleId configRuleName
Desired result would be a table that accounts for the 3 different rules and created 3 different rows for each.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
08-23-2021
07:28 PM
hi @morgantay96,
You need to unnest configRuleList, the mvexpand the field and again apply spath on expanded values to get desired results. Try this.
| makeresults
| eval _raw="{\"configuration\": {\"targetResourceType\": \"AWS::EC2::Volume\", \"targetResourceId\": \"resource123\", \"configRuleList\":
[ {\"configRuleId\": \"config1\", \"configRuleArn\": \"removed\", \"configRuleName\": \"config1rule\", \"complianceType\": \"COMPLIANT\"}, {\"configRuleId\": \"config2\", \"configRuleArn\": \"removed\", \"configRuleName\": \"config2rule\", \"complianceType\": \"COMPLIANT\"}, {\"configRuleId\": \"config3\", \"configRuleArn\": \"removed\", \"configRuleName\": \"config3rule\", \"complianceType\": \"NON_COMPLIANT\"}], \"complianceType\": \"NON_COMPLIANT\"}, \"configurationItemStatus\": \"OK\", \"configurationStateId\": 11111111, \"configurationStateMd5Hash\": \"\", \"supplementaryConfiguration\": {}, \"resourceId\": \"AWS::EC2::Volume/resource123\", \"resourceType\": \"AWS::Config::ResourceCompliance\", \"relatedEvents\":
[ ], \"tags\": {}, \"relationships\":
[ {\"resourceType\": \"AWS::EC2::Volume\", \"name\": \"Is associated with \", \"resourceId\": \"resource123\"}], \"configurationItemVersion\": \"1.3\", \"configurationItemCaptureTime\": \"2021-01-23T06:28:07.415Z\", \"awsAccountId\": \"removed\", \"awsRegion\": \"removed\"}"
| spath configuration.configRuleList{} output=configRuleList
| spath
| mvexpand configRuleList
| spath input=configRuleList
| table resourceId complianceType configRuleArn configRuleId configRuleName
If this reply helps you, a like would be appreciated.
Get Updates on the Splunk Community!
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
September Community Champions: A Shoutout to Our Contributors!
As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
