Nested JSON field

melvincorneliss · ‎02-20-2019

Hi I'm trying to do a count within my JSON logs. It's about the following data. I want to do a count for the extension_attribute with the name xxx-enrolled base on the value. How can I parse through this data? stats count is what I'm after.

{
"computer": {
"extension_attributes": [
{
"id": 1,
"name": "xxx-enrolled",
"type": "String",
"value": "3"
},
{
"id": 7,
"name": "xxx-filevault",
"type": "String",
"value": "FileVault is On."
},
{
"id": 4,
"name": "xxx-initial-hostname",
"type": "String",
"value": "xxxx-2i3l"
},
{
"id": 5,
"name": "Host name",
"type": "String",
"value": "xxxx-2i3l"
},
{
"id": 2,
"name": "Last User",
"type": "String",
"value": ""
},
]
}
}

woodcock · ‎02-20-2019

What should the exact output be?

jason_prondak · ‎02-20-2019

You can try using spath to parse it first. Then pull out the fields.

| makeresults

| eval raw="{ \"computer\": { \"extension_attributes\": [ { \"id\": 1, \"name\": \"xxx-enrolled\", \"type\": \"String\", \"value\": \"3\" }, { \"id\": 7, \"name\": \"xxx-filevault\", \"type\": \"String\", \"value\": \"FileVault is On.\" }, { \"id\": 4, \"name\": \"xxx-initial-hostname\", \"type\": \"String\", \"value\": \"xxxx-2i3l\" }, { \"id\": 5, \"name\": \"Host name\", \"type\": \"String\", \"value\": \"xxxx-2i3l\" }, { \"id\": 2, \"name\": \"Last User\", \"type\": \"String\", \"value\": \"\" }, { \"id\": 5, \"name\": \"xxx-enrolled\", \"type\": \"String\", \"value\": \"10\" }, ] } }"
| rename raw AS _raw
| spath

| rename computer.extension_attributes{}.name AS name
| stats count by name

Nested JSON field

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Nested JSON field

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!