Restructure existing Fields

abhisawa · ‎02-16-2015

I have available json as following



{

    "Foo1": {

        "Bar1": {

            "Key1": "Value1",

            "Key2": "Value2",

            "KeyN": "ValueN"

        }

    },

    "FooN": {

        "BarN": {

            "Key1": "Value1",

            "Key2": "Value2",

            "KeyN": "ValueN"

        }

    }

}

If I run this through spath , I get fields like Foo1.Bar1.Key1 with their values.

How can I split that field name on '.' to extract individual Fields like
- new field 'F' will have value from Foo1 ... FooN
- new field 'B' will have value from Bar1 ... BarN
- new fields 'Key1' ... 'KeyN' will have values from 'Value1' ... 'ValueN'

martin_mueller · ‎02-17-2015

This isn't pretty, I'm not sure where you're trying to go with this, and I'm not sure if this is what you had in mind, but...

| stats count | fields - count | eval _raw = "{\"Foo1\": {\"Bar1\": {\"Key1\": \"Value1a\", \"Key2\": \"Value2a\", \"KeyN\": \"ValueNa\"}}, \"FooN\": {\"BarN\": {\"Key1\": \"Value1b\", \"Key2\": \"Value2b\", \"KeyN\": \"ValueNb\"}}}"
| spath | foreach *.*.*
  [ eval F = mvappend(F, "<<MATCHSEG1>>")
  | eval B = mvappend(B, "<<MATCHSEG2>>")
  | eval <<MATCHSEG3>> = mvappend('<<MATCHSEG3>>', '<<FIELD>>')]
| eval F = mvdedup(F) | eval B = mvdedup(B) | table F B Key*

yields this:

F     B     Key1     Key2     KeyN
Foo1  Bar1  Value1a  Value2a  ValueNa
FooN  BarN  Value1b  Value2b  ValueNb

Restructure existing Fields

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life