We want to parse highly nested jsons into expanded tables. We found that the following code works, given we apply the | rename . as _ as many times as deep the nesting is. Without replacing the "." Splunk does not make all fields and subfields available. Might there be a more generic solution?
index="adm_compute_qcheck"
| rename *.* as *_* | rename *.* as *_* | rename *.* as *_* | rename *.* as *_*
| rename *_{}* as ** | rename *{}_* as ** | rename *{}_* as **
Here the first part of the JSON:
[
{
"BIOS": {
"manufacturer": "INSYDE Corp.",
"SystemBiosMajorVersion": 0,
"SystemBiosMinorVersion": 41,
"SMBIOSBIOSVersion": "0.99"
}
},
{
"Checkpoint": {
}
},
{
"ClusterName": null
},
{
"CPUType": {
"NumberOfCores": 16
}
},
{
"HBA": [
{
"active": true,
"drivername": "elxfc",
"driverversion": "12.2.207.0",
"firmwareversion": "11.4.204.25",
"optionromversion": "11.4.204.25",
"manufacturer": "Emulex Corporation",
"model": "LPe32002-AP",
"serialnumber": "FC83980875"
},
{
"active": true,
"drivername": "elxfc",
"driverversion": "12.2.207.0",
"firmwareversion": "11.4.204.25",
"optionromversion": "11.4.204.25",
"manufacturer": "Emulex Corporation",
"model": "LPe32002-AP",
"serialnumber": "FC83980875"
}
]
},
{
"HPE": [
]
},
{
"HPEDiskCount": 0
},
{
"HPELogicalDisks": {
"Status": null,
"RaidLevel": null,
"ID": null,
"Capacity": null
}
},
{
"HPEPhysicalDisks": [
]
},
{
"Mig": {
"VirtualMachineMigrationEnabled": true,
"VirtualMachineMigrationPerformanceOption": 2,
"VirtualMachineMigrationAuthenticationType": 1,
"MaximumVirtualMachineMigrations": 2,
"MaximumStorageMigrations": 2
}
},
... View more