Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

json parsing in SPL

rteja9
Path Finder
‎02-06-2024 11:02 AM

I have a json which I need help with breaking into key value pair. 

 

 

 

 

"lint-info": {
            "-Wunused-but-set-variable": [
                {
                    "location": {
                        "column": 58,
                        "filename": "ab1",
                        "line": 237
                    },
                    "source": "logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0]        msgg_max_unrsrvd_temp;       // temp value including carry out",
                    "warning": "variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used"
                },
                {
                    "location": {
                        "column": 58,
                        "filename": "ab2",
                        "line": 254
                    },
                    "source": "logic                                                    msgg_avail_cnt_err;          // Available Counter update error detected",
                    "warning": "variable 'msgg_avail_cnt_err' is assigned but its value is never used"
                }
            ],
            "-Wunused-genvar": [
                {
                    "location": {
                        "column": 11,
                        "filename": "ab3",
                        "line": 328
                    },
                    "source": "genvar nn,oo;",
                    "warning": "unused genvar 'oo'"
                }
            ],
            "total": 3,
            "types": [
                "-Wunused-but-set-variable",
                "-Wunused-genvar"
            ]
        },

 

 

 

 

 

I need to get a table with Type, filename, line values like below

 

Type                                                  Filename       Line          

-Wunused-but-set-variable.    ab1.                   237

-Wunused-but-set-variable.    ab2                 254

-Wunused-genvar                        ab3              328

 

 

Thanks

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-06-2024 04:42 PM

I'm not a big fan of (mis)using actual data as JSON key.  If you have any influence over your developers, ask them to design a proper data structure.

To rescue data in its current state, Splunk will need to construct a proper structure.  For this purpose,  json_set that Splunk added in 8.0 comes handy.  Like this: (Because you didn't enclose sample data, I just assume that lint-info is a top key in your raw data.)

 

| spath path=lint-info.-Wunused-but-set-variable{}
| spath path=lint-info.-Wunused-genvar{}
| mvexpand lint-info.-Wunused-but-set-variable{}
| mvexpand lint-info.-Wunused-genvar{}
| rename lint-info.*{} AS *
| foreach -Wunused-*
    [eval -Wunused = mvappend('-Wunused', json_set('<<FIELD>>', "type", "<<FIELD>>"))]
| mvexpand -Wunused
| spath input=-Wunused
| fields - -Wunused-* _*

 

This is the result from your sample:

-Wunusedlocation.columnlocation.filenamelocation.linesourcetypewarning
{"location":{"column":58,"filename":"ab1","line":237},"source":"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out","warning":"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used","type":"-Wunused-but-set-variable"}58ab1237logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out-Wunused-but-set-variablevariable 'msgg_max_unrsrvd_temp' is assigned but its value is never used
{"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"}11ab3328genvar nn,oo;-Wunused-genvarunused genvar 'oo'
{"location":{"column":58,"filename":"ab2","line":254},"source":"logic msgg_avail_cnt_err; // Available Counter update error detected","warning":"variable 'msgg_avail_cnt_err' is assigned but its value is never used","type":"-Wunused-but-set-variable"}58ab2254logic msgg_avail_cnt_err; // Available Counter update error detected-Wunused-but-set-variablevariable 'msgg_avail_cnt_err' is assigned but its value is never used
{"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"}11ab3328genvar nn,oo;-Wunused-genvarunused genvar 'oo'

Here is data emulation that you can play with and compare with real data

 

| makeresults
| eval _raw = "{\"lint-info\": {
            \"-Wunused-but-set-variable\": [
                {
                    \"location\": {
                        \"column\": 58,
                        \"filename\": \"ab1\",
                        \"line\": 237
                    },
                    \"source\": \"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0]        msgg_max_unrsrvd_temp;       // temp value including carry out\",
                    \"warning\": \"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used\"
                },
                {
                    \"location\": {
                        \"column\": 58,
                        \"filename\": \"ab2\",
                        \"line\": 254
                    },
                    \"source\": \"logic                                                    msgg_avail_cnt_err;          // Available Counter update error detected\",
                    \"warning\": \"variable 'msgg_avail_cnt_err' is assigned but its value is never used\"
                }
            ],
            \"-Wunused-genvar\": [
                {
                    \"location\": {
                        \"column\": 11,
                        \"filename\": \"ab3\",
                        \"line\": 328
                    },
                    \"source\": \"genvar nn,oo;\",
                    \"warning\": \"unused genvar 'oo'\"
                }
            ],
            \"total\": 3,
            \"types\": [
                \"-Wunused-but-set-variable\",
                \"-Wunused-genvar\"
            ]
        }}"
``` data emulation above ```

 

Hope this helps.

Tags (1)
0 Karma
Reply

rteja9
Path Finder
‎02-06-2024 11:09 AM

It works when I use below query,

....| spath path=lint-info.-Wunused-but-set-variable{} output=members
| stats count by members InstanceName

 

But I don't know the values of Type. If there are more than 1 type, query should automatically break into individual events. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...