Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parsing double nested JSON

sammagana
Loves-to-Learn
‎11-18-2020 04:57 PM

Hello,

So I am having some trouble parsing this json file to pull out the nested contents of the 'licenses'.  My current search can grab the contents of the inner json within 'features' but not the nested 'licenses' portion.

My current search looks like this:

 

 

 

index=someindex
| fields features.*.* 
| rename features.* as * 
| eval FieldList="" 
| foreach * 
[ eval FieldList=if("<<MATCHSTR>>"!="FieldList",FieldList.","."<<MATCHSTR>>","") ] 
| eval FieldList=split(FieldList,",") 
| mvexpand FieldList 
| eval Software=mvindex(split(FieldList,"."),0),Column=mvindex(split(FieldList,"."),1) 
| eval value=""
| foreach * 
[ eval value=if("<<FIELD>>"==Software.".".Column,'<<FIELD>>',value),{Column}=value ]

 

 

 

 sample json file:

"features": {
"M_TOOL": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"M_GUI": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"MT_GUI": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"M_TOOL": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"ML_GUI": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"C_SOLVTOOL_Ser": {
"licenses": [],
"num_issued": 40,
"num_used": 0,
"num_available": 40,
"parse_status": "SUCCESS",
"parse_error": null
},
"CP_SOLVTOOL_Par": {
"licenses": [],
"num_issued": 600,
"num_used": 0,
"num_available": 600,
"parse_status": "SUCCESS",
"parse_error": null
},
"CD_SOLVTOOL_Ext": {
"licenses": [],
"num_issued": 20000,
"num_used": 0,
"num_available": 20000,
"parse_status": "SUCCESS",
"parse_error": null
},
"C_SOLV_Ser": {
"licenses": [
{
"version": ,
"vendor_daemon": "mcomp",
"expiration_date": "2021-08-31",
"type": "floating",
"parse_status": "SUCCESS",
"parse_error": null
}
],
"num_issued": 40,
"num_used": 16,
"num_available": 24,
"parse_status": "SUCCESS",
"parse_error": null
}

}

Ideally I'd like to put the contents into some table to start

vendor_daemonexpiration_datetypeparse_statusparse_error
mcomp2021-08-31floatingSUCCESSnull


Thank you so much! Appreciate any and all help!

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-20-2020 06:10 AM

Will something like this work?

| spath
| fields *.licenses*
| rename features.*.licenses{}.* as *.*
| fields - _raw _time
| transpose 0
| eval software=mvindex(split(column,"."),0)
| eval attribute=mvindex(split(column,"."),1)
| eval {attribute}='row 1'
| fields - column row* attribute
| stats values(*) as * by software
0 Karma
Reply

sammagana
Loves-to-Learn
‎11-20-2020 07:51 AM

Hi!,

Thanks for the help. Really appreciate it. 

It seems that with this query I am only able to return the list of software? 

The attributes don't generate in the columns.

 

Any suggestion?

 

Thank you! 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-20-2020 08:03 AM

Can you share what you do get? Also, can you share what just the spath gives you? The more information you can give, the easier it will be to help you. Send a private message if you like.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-18-2020 11:08 PM

can you share _raw event ?

do you expect more than one license in single raw event ? because I see only one license field has values in the above event.

————————————
If this helps, give a like below.
0 Karma
Reply

sammagana
Loves-to-Learn
‎11-19-2020 08:21 AM

Yes, I do expect more then one license field in the event.

Here is my Raw Event:

"features": { "Acceleration": { "licenses": [ { "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null } ], "num_issued": 5, "num_used": 3, "num_available": 2, "parse_status": "SUCCESS", "parse_error": null }, "fronter": { "licenses": [], "num_issued": 5, "num_used": 0, "num_available": 5, "parse_status": "SUCCESS", "parse_error": null }, "start": { "licenses": [ { "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null } ], "num_issued": 5, "num_used": 1, "num_available": 4, "parse_status": "SUCCESS", "parse_error": null }, "En_FSP": { "licenses": [], "num_issued": 1, "num_used": 0, "num_available": 1, "parse_status": "SUCCESS", "parse_error": null }, "OS_Linux": { "licenses": [], "num_issued": 5, "num_used": 0, "num_available": 5, "parse_status": "SUCCESS", "parse_error": null },

 

Is this what your looking for?

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-21-2020 11:45 PM

if licenses field is already extracted and licenses field has value like below from the above events:

{ "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null }
{ "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null }
 
then you can write simple props & transforms as below in search head to have fields from licenses set:

props.conf

 

 

[yoursourcetype]
REPORT-jsonextract = jsonextract

 

 

transforms.conf

 

 

[jsonextract]
SOURCE_KEY=licenses
REGEX=(?<_KEY_1>[^\"]+)\":\s+\"?(?<_VAL_1>[^(\"|\s+)?]+)

 

 

 if licenses field is not extracted already then you need to follow below to extract licenses field

props.conf

 

 

[yoursourcetype]
REPORT-a_licensesextract = a_licensesextract
REPORT-b_jsonextract = b_jsonextract

 

 

transforms.conf

 

 

[a_licensesextract]
REGEX = licenses\":\s+\[(?<licenses>[^\]]+)
FORMAT = licenses::$1
MV_ADD = true

[b_jsonextract]
SOURCE_KEY=licenses
REGEX=(?<_KEY_1>[^\"]+)\":\s+\"?(?<_VAL_1>[^(\"|\s+)?]+)

 

 

————————————
If this helps, give a like below.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...