Hi,
I have issue similar to: https://community.splunk.com/t5/Getting-Data-In/how-to-split-the-json-array-into-multiple-new-events/m-p/122265 But my case is a bit different.
json structure: { "...
See more...
Hi,
I have issue similar to: https://community.splunk.com/t5/Getting-Data-In/how-to-split-the-json-array-into-multiple-new-events/m-p/122265 But my case is a bit different.
json structure: { "MetaData": { "Host Name": "....", "Wi-Fi Driver Version": "..." }, "Payloads": [ { "Header": { "Type": "Event", "Name": "...", "TimeStamp": ... }, "Payload": { "MAC Address": "00:00:00:00:00:00", "Network Adapter Type": ... } }, { ] }
i need to: 1. extract table contain the following columns : MetaData.host name,MetaData.Wi-Fi Driver Version,Header.Type, Header.Name,Payload.MAC Address,Payload.Network Adapter Type 2. i expected to see 2 rows in this case 3. the fields name under MetaData,Header and Payload can changed, so it's should be generic. I have started to write something like that- but it's not generic (type,name,..) and it doesn't extract the meta data: | spath input=json output=payloadsObjects path=Payloads{} | mvexpand payloadsObjects | spath input=payloadsObjects output=Type path=Header.Type | spath input=payloadsObjects output=Name path=Header.Name | table *
json as example to use: | makeresults | eval _raw="{ \"MetaData\": { \"Host Name\": \"maya-MOBL\", \"Driver Version\": \"99.0.100.4\" }, \"Payloads\": [ { \"Header\": { \"Type\": \"Event\", \"Name\": \"IP Disconnection\", \"TimeStamp\": 133265876804261336 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Adapter Type\": 140 } }, { \"Header\": { \"Type\": \"Event\", \"Name\": \"Connection success\", \"TimeStamp\": 133265877087374706 }, \"Payload\": { \"MAC Address\": \"00:00:00:00:00:00\", \"Network Adapter Type\": 131, \"Address\": \"0000:0:0000:000:000:df:0000:0000\", \"Prefix Length\": 64, \"Is Local Address\": false, \"Gateway IP Address\": \"::\", \"DNS Server\": [], \"DHCP Server\": null, \"DHCP Lease Duration\": 000000000, \"DHCP Retrieval Time\": 0 } } ] }" May I get your help please? *note- nice to have also solution that doesn't use makeresult because it made me problem to find Payloads{} field when i used real json file in my report and not makeresult. *note 2- need to take time performance into consideration