Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Visualize JSON array of array

faustf
Communicator
‎09-12-2017 04:55 AM

Hi guys,

I would like to convert the following event into a table:

{
   Id: 1505207351   
   Start: 1505207651    
   Resource: res    
   Nodes: [ 
            [ res1, 1 ] , [ res2, 3 ]   
       ]    
}

The output should be a table like this:

 Id        |    Start   | Nodes
1505207351 | 1505207651 | [res1,1] , [res2,3]

Or even better, display a subtable in the Nodes column:

 Id        |    Start   |    Nodes
           |            | Res | Rank
-------------------------------------
1505207351 | 1505207651 | res1 | 1 
                        | res2 | 3
------------------------------------
2305207351 | 2305207651 | res3 | 4 
                        | res4 | 3

The event sourcetype is _json
My actual query to search the events is this:

index="myindex" | spath | table Id, Start, Nodes

The result is a table but the Nodes column is empty

Thanks

0 Karma
Reply

somesoni2
Revered Legend
‎09-12-2017 09:21 AM

Give this a try

 index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | rex field=Nodes max_match=0 "(?<Nodes_Res>\S+)\s+(?<Nodes_Rank>\d+)" 
|  table Id, Start, Nodes_Res Nodes_Rank
0 Karma
Reply

somesoni2
Revered Legend
‎09-12-2017 06:59 AM

Try this

index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes
0 Karma
Reply

faustf
Communicator
‎09-12-2017 08:01 AM

Great it worked.
Is it difficult (or is it possible) to implement the subtable?

0 Karma
Reply

somesoni2
Revered Legend
‎09-12-2017 08:36 AM

It will be difficult. Firstly, the dual level columns are not possible (SPlunk doesn't support merged columns like you see in excel), but you you would be able to do some workaround. How does the data looks in the columns Nodes after the queries? Can you post some actual sample values (mask anything that is sensitive)? Conversion of that to the subtable format (converting NOdes to multivalued field) will depend on it current format. May be run this and tell actual values on both Nodes and NodesCount column.

index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | eval NodesCount=mvcount(Nodes)
0 Karma
Reply

faustf
Communicator
‎09-12-2017 08:48 AM

This is my current result: link text

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...