Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Nested JSON and SPATHING

BearMormont
Path Finder
‎03-16-2018 06:10 AM

Hi,

I have another question similar to the question I asked at https://answers.splunk.com/answers/624148/expanding-nested-events.html. The solution posted sort of worked, but stopped working when the number of Tasks changed between Projects.

Take for example the following single Event (which is the result of a search):

 {
   FirstName: John
   LastName: Doe
   Projects: [
     {
       ProjectName: Build Computer
       Tasks: [
         {
           TaskName: Order hardware
           TaskDueDate: 1/1/2018
         }
         {
           TaskName: Install software
           TaskDueDate: 1/2/2018
         }
         {
           TaskName: Deploy machine
           TaskDueDate: 1/3/2018
         }
       ]
     }
     {
       ProjectName: Submit Timesheet
       Tasks: [
         {
           TaskName: Fill out Timesheet
           TaskDueDate: 2/1/2018
         }
         {
           TaskName: Email Timesheet
           TaskDueDate: 2/2/2018
         }
       ]
     }
   ]
 }

I guess my issue is the SPATHing and linking the fields. If I Spath to Projects{}.Tasks{} I get two events with three Tasks in the first event and two tasks in the second event, which I was expecting. And if I were only interested in those tasks I could easily mvzip them and expand them to separate events. My issue is no matter what I try I cannot match them up with the proper Project Name. It seems to just give Build Computer to each of them, even though the second set of tasks should match up to Submit Timesheet.

This is the same result I get if I use SPATH alone without actually specifying a path.

If I SPATH into just Projects{}, I get two Tasks in the first event and two Tasks in the second, then I end up losing some of the tasks. Basically I am trying to get the output to look like:

 FirstName LastName  ProjectName       TaskName           TaskDueDate
 John      Doe       Build Computer    Order hardware     1/1/2018
 John      Doe       Build Computer    Install software   1/2/2018
 John      Doe       Build Computer    Deploy Machine     1/3/2018
 John      Doe       Submit Timesheet  Fill out Timesheet 2/1/2018
 John      Doe       Email Timesheet   Email Timesheet    2/2/2018

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-17-2018 08:17 AM

Hi @BearMormont,

I have tried a lot with your given JSON and finally, I got the expected result you want. Can you please try this search?

YOUR_SEARCH 
| spath Projects{} output=Projects 
| stats count by FirstName LastName Projects 
| eval _raw=Projects 
| spath Tasks{} output=Tasks | spath ProjectName output=ProjectName 
| stats count by FirstName LastName ProjectName Tasks 
| eval _raw=Tasks | spath TaskName output=TaskName | spath TaskDueDate output=TaskDueDate | table FirstName LastName ProjectName TaskName TaskDueDate

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-17-2018 08:17 AM

Hi @BearMormont,

I have tried a lot with your given JSON and finally, I got the expected result you want. Can you please try this search?

YOUR_SEARCH 
| spath Projects{} output=Projects 
| stats count by FirstName LastName Projects 
| eval _raw=Projects 
| spath Tasks{} output=Tasks | spath ProjectName output=ProjectName 
| stats count by FirstName LastName ProjectName Tasks 
| eval _raw=Tasks | spath TaskName output=TaskName | spath TaskDueDate output=TaskDueDate | table FirstName LastName ProjectName TaskName TaskDueDate

Thanks

Reply
Solved! Jump to solution

BearMormont
Path Finder
‎03-17-2018 11:40 AM

THANK YOU!!!

First, this works perfectly. Thank you so much.

Second, can you please explain to me a little bit about how it works. Based on what I had read previously I thought I would need to use a combination of SPATH and MVZIP/MVEXPAND, but this didn't involve any multi value commands. Any insight you could impart would be greatly appreciated.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-18-2018 05:27 AM

Glad to help you.

Yes, first I have tried with mvzip but I got just first value & other values removed from results. I'm not suggesting mvexpand command if you have heavy JSON events because it has its own limitation. So I've used here stats commands to make avail all possible multivalued fields. Well here spath works well for us. if you execute this search up to stats command you will get another JSON. Eg, this search.

 YOUR_SEARCH 
 | spath Projects{} output=Projects 
 | stats count by FirstName LastName Projects

After the stats by FirstName LastName Projects I will get JSON in Projects fields. This JSON field will work for as raw event for next spath command. Checkout this.

 | eval _raw=Projects

So spath will enough for us to go deeper in JSON.

I hope you this will help you and I'm sure you will try it with different types of JSON.

Thanks
Happy Splunking

Reply
Solved! Jump to solution

ktwingstrom
Path Finder
‎03-16-2018 08:18 AM

I would be VERY interested in an answer to this. I basically need to do the same thing.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...