Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Simple Json formatting into table

psable
Explorer
‎06-30-2016 07:45 PM

Hi, I posted similar question earlier but I dont see it anymore as posted so reposting simplified version.

json has this format

"Diagnosis": {
    "Version": 2,
    "dia": [
      {
        "name": "EF",
        "stringValue": "Emergency",
        "isRequired": false,
        "Defaultvalue": "EF"
      },
      {
        "name": "WR",
        "stringValue": 0,
        "isRequired": true,
        "Defaultvalue": "EN"
      } ]
The table needs to be in this format

name stringvalue isrequired defaultValue
EF Emergency false EF
WR 0 true EN

I am not able to figure out how to put in this format, I used spath but the columns entries do not match to corresponding rows...i.e. EF might match with 0 in stringValue instead in Emeregency . I saw mention that mvzip might work but I do not know how to use it. Can someone please help me ?

Thank you !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-30-2016 09:53 PM

Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me

|stats count |eval json1="{
\"Diagnosis\": 
      {
   \"Version\": 2,
    \"dia\": 
    [
      {
        \"name\": \"EF\",
        \"stringValue\": \"Emergency\",
        \"isRequired\": false,
        \"Defaultvalue\": \"EF\"
      },
      {
        \"name\": \"WR\",
        \"stringValue\": 0,
        \"isRequired\": true,
        \"Defaultvalue\": \"EN\"
      } 
    ]
}     
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",") 
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-30-2016 09:53 PM

Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me

|stats count |eval json1="{
\"Diagnosis\": 
      {
   \"Version\": 2,
    \"dia\": 
    [
      {
        \"name\": \"EF\",
        \"stringValue\": \"Emergency\",
        \"isRequired\": false,
        \"Defaultvalue\": \"EF\"
      },
      {
        \"name\": \"WR\",
        \"stringValue\": 0,
        \"isRequired\": true,
        \"Defaultvalue\": \"EN\"
      } 
    ]
}     
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",") 
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

psable
Explorer
‎07-01-2016 05:59 AM

Thanks for reply. For some reason, this one does not return any result for me, am I missing anything ?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-06-2016 07:22 PM

This is just a sample dummy search and you need to apply this in your original. Are you not getting anything if you copy paste the entire section to a search window? are you getting any error?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...