Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Simple Json formatting into table

psable
Explorer
‎06-30-2016 07:45 PM

Hi, I posted similar question earlier but I dont see it anymore as posted so reposting simplified version.

json has this format

"Diagnosis": {
    "Version": 2,
    "dia": [
      {
        "name": "EF",
        "stringValue": "Emergency",
        "isRequired": false,
        "Defaultvalue": "EF"
      },
      {
        "name": "WR",
        "stringValue": 0,
        "isRequired": true,
        "Defaultvalue": "EN"
      } ]
The table needs to be in this format

name stringvalue isrequired defaultValue
EF Emergency false EF
WR 0 true EN

I am not able to figure out how to put in this format, I used spath but the columns entries do not match to corresponding rows...i.e. EF might match with 0 in stringValue instead in Emeregency . I saw mention that mvzip might work but I do not know how to use it. Can someone please help me ?

Thank you !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-30-2016 09:53 PM

Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me

|stats count |eval json1="{
\"Diagnosis\": 
      {
   \"Version\": 2,
    \"dia\": 
    [
      {
        \"name\": \"EF\",
        \"stringValue\": \"Emergency\",
        \"isRequired\": false,
        \"Defaultvalue\": \"EF\"
      },
      {
        \"name\": \"WR\",
        \"stringValue\": 0,
        \"isRequired\": true,
        \"Defaultvalue\": \"EN\"
      } 
    ]
}     
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",") 
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-30-2016 09:53 PM

Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me

|stats count |eval json1="{
\"Diagnosis\": 
      {
   \"Version\": 2,
    \"dia\": 
    [
      {
        \"name\": \"EF\",
        \"stringValue\": \"Emergency\",
        \"isRequired\": false,
        \"Defaultvalue\": \"EF\"
      },
      {
        \"name\": \"WR\",
        \"stringValue\": 0,
        \"isRequired\": true,
        \"Defaultvalue\": \"EN\"
      } 
    ]
}     
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",") 
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

psable
Explorer
‎07-01-2016 05:59 AM

Thanks for reply. For some reason, this one does not return any result for me, am I missing anything ?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-06-2016 07:22 PM

This is just a sample dummy search and you need to apply this in your original. Are you not getting anything if you copy paste the entire section to a search window? are you getting any error?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...