Solved: How to split Json array using Splunk Search comman...

ajayabburi508 · ‎02-16-2018

My Query is :

|inputlookup geo_jj | eval types = "{\"geom\": " + geom + "}" | spath input=types

i got output in geom column is :

geom

{"type":"MultiPolygon","coordinates":[[[[-105.8203125,31.052934646606445],[-105.8203125,48.806861877441406],[-88.06640625,48.806861877441406],[-88.06640625,31.052934646606445],[-105.8203125,31.052934646606445]]]]}

But i want output like this

value1 value2
-105.8203125 31.052934646606445
-105.8203125 48.806861877441406
-88.06640625 48.806861877441406
-88.06640625 31.052934646606445
-105.8203125 31.052934646606445

Please help me for this

493669 · ‎02-17-2018

Hi @ajayabburi508,
try this regex:

|rex max_match=0 field=geom "\[(?<value1>-[^,]+),(?<value2>[^]]+)"

after this to separate multivalue fields you can try :

|eval combined=mvzip(value1,value2)| mvexpand combined
 | makemv combined delim=","  
|eval lat=mvindex(combined,0), lon=mvindex(combined,1)

View solution in original post

493669 · ‎02-17-2018

Hi @ajayabburi508,
try this regex:

|rex max_match=0 field=geom "\[(?<value1>-[^,]+),(?<value2>[^]]+)"

after this to separate multivalue fields you can try :

|eval combined=mvzip(value1,value2)| mvexpand combined
 | makemv combined delim=","  
|eval lat=mvindex(combined,0), lon=mvindex(combined,1)

ajayabburi508 · ‎02-17-2018

Thanks 493669 alot ,it is working good

493669 · ‎02-17-2018

Glad to help:) please accept the answer so that it will no longer open.

ajayabburi508 · ‎02-17-2018

Accepted bro

How to split Json array using Splunk Search commands??

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor