Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i split a json array in mutiple events?

Outek
New Member
‎03-07-2016 02:50 AM

Hello

Im trying to split a json Array into multiple Events in the props.conf
Whats the best way to do this?

Here is the json example:

{
"Applications": [
{
"outputname": "Adobe Flash Player",
"version": "19.0.0.185",
},
{
"outputname": "Adobe Reader",
"version": "1.2.3"
},
{
"outputname": "Attachmate Reflection X",
"version": "14.1.1217",
}
],
"TIMESTAMP": "2016-03-07 09:03:43"
}

What should the props.conf look like to split such a file?
thank you for your suggestions.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-07-2016 10:08 AM

There is no props.conf that will split that correctly into other JSON objects. You will need to pre-process with a script or modular input to achieve that.

However, there is a search hack you can do to make reports on the data.

<your_search> | rename Applications{}.* as * | eval z = mvzip(outputname, version) | mvexpand z | eval z = split(z, ",") | eval outputname=mvindex(z,0), version = mvindex(z,1) | stats count by outputname, version

This will allow you to make reports based on the current JSON event.

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-07-2016 10:08 AM

There is no props.conf that will split that correctly into other JSON objects. You will need to pre-process with a script or modular input to achieve that.

However, there is a search hack you can do to make reports on the data.

<your_search> | rename Applications{}.* as * | eval z = mvzip(outputname, version) | mvexpand z | eval z = split(z, ",") | eval outputname=mvindex(z,0), version = mvindex(z,1) | stats count by outputname, version

This will allow you to make reports based on the current JSON event.

Reply
Solved! Jump to solution

Outek
New Member
‎03-07-2016 11:34 AM

I know the way with mvzip/mvexpand, but i thought that there is an easier way. We did some tests with SEDCMD in the props.conf, but im not really satisfied with the results

What do you mean with "pre-process with a script or modular input to achieve that" ?
Should i rewrite the script which is writing the json file to only log each arrayline as single Event?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-07-2016 11:39 AM

Yes, If you have a script writing out that JSON object, put each item in it's own line. You can put them all in the same file, but Splunk will read them in as individual events.

{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Attachmate Reflection X", "version": "14.1.1217" }
{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Adobe Reader", "version": "1.2.3" }
0 Karma
Reply
Solved! Jump to solution

Outek
New Member
‎03-07-2016 11:45 AM

I like this approach, i'll give it a try.. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-07-2016 09:53 AM

Do you see any issues with ingesting this json array (which also has non-array element (timestamp)) as full event in Splunk? Splunk will convert this json array values to multivalued field and you should be able to report on them easily.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...