Adding and sorting key, value pairs in JSON array

evan_roggenkamp · ‎06-13-2017

This is the way my data looks:

{  
   "NODE-A":{  
      "DATA":{  
         "SNR_DATA":{  
            "Cable3/0/3-upstream2":38.1,
            "Cable3/0/3-upstream0":38.3
         },
         "MODEM_DATA":{  
            "Cable3/0/3-upstream2":14,
            "Cable3/0/3-upstream0":32
         }
      }
   }
}

I am trying to figure out how to add the values of each Cable interface under "MODEM_DATA" and present it in a table so that it can be graphed.

The farthest I have been able to get is to use spath like so:

| spath path=DATA.MODEM_DATA output=test | table test

This does not exactly break apart the key, value pairs so they can be manipulated. How to do this?

woodcock · ‎06-14-2017

This is a general approach to demonstrate:

 | makeresults count=3
 | streamstats count AS serial
 | eval ExtendedProperties.Name="DisplayName IsPublic Mail"
 | makemv ExtendedProperties.Name
 | eval ExtendedProperties.Value=case(
    (serial=1), "Test Group::False::testgroup@microsoft.com",
    (serial=2), "Group1::True::group1@microsoft.com",
    (serial=3), "Group2::True::group2@microsoft.com")
 | makemv delim="::" ExtendedProperties.Value
 | fields - _time

 | rename COMMENT AS "Everything above generates contrived example data; everytinng below is the general solution"

 | eval KVP=mvzip('ExtendedProperties.Name', 'ExtendedProperties.Value', "=")
 | table KVP serial
 | mvexpand KVP
 | rex field=KVP "^(?<KVP_key>[^=]+)=(?<KVP_value>[^=]+)$"
 | eval {KVP_key}=KVP_value
 | fields - KVP* 
 | stats values(*) AS * BY serial

Adding and sorting key, value pairs in JSON array

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes