×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jerewill
Explorer
Member since: ‎07-18-2022
‎07-21-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎07-18-2022
Activity Feed
View All

Re: Complex JSON (and Multivalue) processing

by in Splunk Search
‎07-20-2022 07:34 AM
‎07-20-2022 07:34 AM
I do think that this seems like a good solution, but I think adding an application will have to be an alternative solution for me in this case. But this is very interesting and does do what I want very nicely.  I was not aware of it previously, so thank you. array2object path="Tags" key=Key value=Value Very easy. ... View more

Re: Complex JSON (and Multivalue) processing

by in Splunk Search
‎07-20-2022 07:22 AM
‎07-20-2022 07:22 AM
That doesn't seem to work for me.  The table before the transpose looks like this... Name Key Value example Building 1 example Floor 2 example Color Red   Then the transpose turns the Name field into columns which, again, doesn't get something that can be well searched for things like (Building=1 AND Floor=2). ... View more

Re: Complex JSON (and Multivalue) processing

by in Splunk Search
‎07-19-2022 08:25 PM
‎07-19-2022 08:25 PM
Not quite… I want one record that looks more like this… Name Building Floor Color example 1 2 Red           The problem is that you can’t effectively search multiple tags with what you have there.  For example, I can search `Key=Floor AND Value=2` to get the second record of the mvexpand, but I can’t get a search that links them together.  I need to be able to do a search that is more like `Building=1 AND Floor=2` Does that make sense?  ... View more

Complex JSON (and Multivalue) processing

by in Splunk Search
‎07-19-2022 11:54 AM
‎07-19-2022 11:54 AM
I've been working on a project with JSON in the event where Tags are stored similar to this... { "Name": "example", "Tags": [ {"Key": "Building", "Value": "1"}, {"Key": "Floor", "Value": "2"}, {"Key": "Color", "Value": "Red"} ] } The default extract from spath provided the Tags{}.Key and Tags{}.Value fields which were pretty much useless as-is.  What I wanted was for each tag to be a field on the event so that you could use them in a search, ex. Building=1 AND Color=Red.  But the number of tags varies and the same value could appear in multiple tags (i.e. Building=1 AND Floor=1).    Here's what I came up with so far... I'm curious if anyone has a better suggestion. | rename Tags{}.Key as Key, Tags{}.Value as Value | eval zip=mvzip(Key,Value, ":") | mvexpand zip |rex field=zip mode=sed "s/$/\"}/g" |rex field=zip mode=sed "s/^/{\"tag./g"| rex field=zip mode=sed "s/:/\": \"/g" | spath input=zip | transaction Name This approach basically uses mvzip and mvexpand to pull apart the Tags, then uses rex with sed to rebuild a JSON object to pass back through spath.  It seems pretty complex, but I just can't see a better way to do it. I'm interested to hear if anyone has a better suggestion? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-21-2022 09:59 AM
Karma given to
View All