Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to concatenate fields from JSON

BeeSpark
Engager
‎11-22-2023 02:21 AM

I have an inputlookup table, in this lookup table there is a JSON array called "Evidence"

There is two field I would like to extract, one is "Rule" and the "Criticality". An example of Evidence array will look like this:

{"Evidence":[{"Rule":"Observed in the Wild Telemetry","Criticality":1},{"Rule":"Recent DDoS","Criticality":3}]}

So if I eval both "Rule" and Criticality" as shown below:

| eval "Rule"=spath(Evidence, "Evidence{}.Rule")
| eval "Criticality"=spath(Evidence, "Evidence{}.Criticality")
| table Rule Criticality

The output will show like this but the Rule & Criticality column doesn't separate into different row (it is all in one row):

Rule
Criticality
Observed in the Wild Telemetry
Recent DDoS
1
3


Now the tricky part, I would like display the top count of Rule (top Rule limit=10)  but at the same time display the associated Criticality with the Rule. How do it? since the above does not separate into different row.

The final outlook I am looking for, will look like this:

RuleCriticalityCount
Observed in the Wild Telemetry150
Recent DDoS32


An alternative I was thinking was using foreach then concate it into a Combined Field, but I think It is kind of complex.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2023 02:47 AM 
| spath Evidence{} output=Evidence
| mvexpand Evidence
| spath input=Evidence
| stats count by Rule Criticality

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2023 02:47 AM 
| spath Evidence{} output=Evidence
| mvexpand Evidence
| spath input=Evidence
| stats count by Rule Criticality
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...