- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Simple Json formatting into table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I posted similar question earlier but I dont see it anymore as posted so reposting simplified version.
json has this format
"Diagnosis": {
"Version": 2,
"dia": [
{
"name": "EF",
"stringValue": "Emergency",
"isRequired": false,
"Defaultvalue": "EF"
},
{
"name": "WR",
"stringValue": 0,
"isRequired": true,
"Defaultvalue": "EN"
} ]
The table needs to be in this format
name stringvalue isrequired defaultValue
EF Emergency false EF
WR 0 true EN
I am not able to figure out how to put in this format, I used spath but the columns entries do not match to corresponding rows...i.e. EF might match with 0 in stringValue instead in Emeregency . I saw mention that mvzip might work but I do not know how to use it. Can someone please help me ?
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me
|stats count |eval json1="{
\"Diagnosis\":
{
\"Version\": 2,
\"dia\":
[
{
\"name\": \"EF\",
\"stringValue\": \"Emergency\",
\"isRequired\": false,
\"Defaultvalue\": \"EF\"
},
{
\"name\": \"WR\",
\"stringValue\": 0,
\"isRequired\": true,
\"Defaultvalue\": \"EN\"
}
]
}
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",")
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Referring to the example in http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/spath#Example_3:_Extract_and_expan..., below works fine for me
|stats count |eval json1="{
\"Diagnosis\":
{
\"Version\": 2,
\"dia\":
[
{
\"name\": \"EF\",
\"stringValue\": \"Emergency\",
\"isRequired\": false,
\"Defaultvalue\": \"EF\"
},
{
\"name\": \"WR\",
\"stringValue\": 0,
\"isRequired\": true,
\"Defaultvalue\": \"EN\"
}
]
}
}"
|spath input=json1|rename Diagnosis.dia{}.* as *
|eval values=mvzip(mvzip(mvzip(name,stringValue),isRequired),Defaultvalue)
|mvexpand values| eval values = split(values,",")
|eval name=mvindex(values,0)|eval stringValue=mvindex(values,1) |eval isRequired=mvindex(values,2)|eval Defaultvalue=mvindex(values,3) | table name,stringValue,isRequired,Defaultvalue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply. For some reason, this one does not return any result for me, am I missing anything ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is just a sample dummy search and you need to apply this in your original. Are you not getting anything if you copy paste the entire section to a search window? are you getting any error?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
