Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

json parsing in SPL

rteja9
Path Finder
‎02-06-2024 11:02 AM

I have a json which I need help with breaking into key value pair. 

 

 

 

 

"lint-info": {
            "-Wunused-but-set-variable": [
                {
                    "location": {
                        "column": 58,
                        "filename": "ab1",
                        "line": 237
                    },
                    "source": "logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0]        msgg_max_unrsrvd_temp;       // temp value including carry out",
                    "warning": "variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used"
                },
                {
                    "location": {
                        "column": 58,
                        "filename": "ab2",
                        "line": 254
                    },
                    "source": "logic                                                    msgg_avail_cnt_err;          // Available Counter update error detected",
                    "warning": "variable 'msgg_avail_cnt_err' is assigned but its value is never used"
                }
            ],
            "-Wunused-genvar": [
                {
                    "location": {
                        "column": 11,
                        "filename": "ab3",
                        "line": 328
                    },
                    "source": "genvar nn,oo;",
                    "warning": "unused genvar 'oo'"
                }
            ],
            "total": 3,
            "types": [
                "-Wunused-but-set-variable",
                "-Wunused-genvar"
            ]
        },

 

 

 

 

 

I need to get a table with Type, filename, line values like below

 

Type                                                  Filename       Line          

-Wunused-but-set-variable.    ab1.                   237

-Wunused-but-set-variable.    ab2                 254

-Wunused-genvar                        ab3              328

 

 

Thanks

 

 

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-06-2024 04:42 PM

I'm not a big fan of (mis)using actual data as JSON key.  If you have any influence over your developers, ask them to design a proper data structure.

To rescue data in its current state, Splunk will need to construct a proper structure.  For this purpose,  json_set that Splunk added in 8.0 comes handy.  Like this: (Because you didn't enclose sample data, I just assume that lint-info is a top key in your raw data.)

 

| spath path=lint-info.-Wunused-but-set-variable{}
| spath path=lint-info.-Wunused-genvar{}
| mvexpand lint-info.-Wunused-but-set-variable{}
| mvexpand lint-info.-Wunused-genvar{}
| rename lint-info.*{} AS *
| foreach -Wunused-*
    [eval -Wunused = mvappend('-Wunused', json_set('<<FIELD>>', "type", "<<FIELD>>"))]
| mvexpand -Wunused
| spath input=-Wunused
| fields - -Wunused-* _*

 

This is the result from your sample:

-Wunusedlocation.columnlocation.filenamelocation.linesourcetypewarning
{"location":{"column":58,"filename":"ab1","line":237},"source":"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out","warning":"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used","type":"-Wunused-but-set-variable"}58ab1237logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out-Wunused-but-set-variablevariable 'msgg_max_unrsrvd_temp' is assigned but its value is never used
{"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"}11ab3328genvar nn,oo;-Wunused-genvarunused genvar 'oo'
{"location":{"column":58,"filename":"ab2","line":254},"source":"logic msgg_avail_cnt_err; // Available Counter update error detected","warning":"variable 'msgg_avail_cnt_err' is assigned but its value is never used","type":"-Wunused-but-set-variable"}58ab2254logic msgg_avail_cnt_err; // Available Counter update error detected-Wunused-but-set-variablevariable 'msgg_avail_cnt_err' is assigned but its value is never used
{"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"}11ab3328genvar nn,oo;-Wunused-genvarunused genvar 'oo'

Here is data emulation that you can play with and compare with real data

 

| makeresults
| eval _raw = "{\"lint-info\": {
            \"-Wunused-but-set-variable\": [
                {
                    \"location\": {
                        \"column\": 58,
                        \"filename\": \"ab1\",
                        \"line\": 237
                    },
                    \"source\": \"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0]        msgg_max_unrsrvd_temp;       // temp value including carry out\",
                    \"warning\": \"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used\"
                },
                {
                    \"location\": {
                        \"column\": 58,
                        \"filename\": \"ab2\",
                        \"line\": 254
                    },
                    \"source\": \"logic                                                    msgg_avail_cnt_err;          // Available Counter update error detected\",
                    \"warning\": \"variable 'msgg_avail_cnt_err' is assigned but its value is never used\"
                }
            ],
            \"-Wunused-genvar\": [
                {
                    \"location\": {
                        \"column\": 11,
                        \"filename\": \"ab3\",
                        \"line\": 328
                    },
                    \"source\": \"genvar nn,oo;\",
                    \"warning\": \"unused genvar 'oo'\"
                }
            ],
            \"total\": 3,
            \"types\": [
                \"-Wunused-but-set-variable\",
                \"-Wunused-genvar\"
            ]
        }}"
``` data emulation above ```

 

Hope this helps.

Tags (1)
0 Karma
Reply

rteja9
Path Finder
‎02-06-2024 11:09 AM

It works when I use below query,

....| spath path=lint-info.-Wunused-but-set-variable{} output=members
| stats count by members InstanceName

 

But I don't know the values of Type. If there are more than 1 type, query should automatically break into individual events. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...