Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I turn this JSON event into a table with various fields?

hsingams2
Explorer
‎09-15-2017 11:24 AM

Hello, a beginner question. I've a search query that produces a single JSON event such as this:
{
Error/type/0 : type_value0
Error/type/1 : type_value1
Error/type/2 : type_value2
Error/desc/0 : desc_value0
Error/desc/1 : desc_value1
Error/desc/2 : desc_value2
Error/logfile/0 : file_value0
Error/logfile/1 : file_value1
Error/logfile/2 : file_value2
}

I want to transform this into a table like this (end output):

type desc logfile

0 type_value0 desc_value0 file_value0
1 type_value1 desc_value1 file_value1
2 type_value2 desc_value2 file_value2

I'm thinking splitting the input JSON event into multiple small events could help me get to the end result. Or may be there is a better way.

How do I achieve this?

Thanks in advance for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-15-2017 01:39 PM

@hsingams2 if the events will have type, desc and logfiles in the same sequence, then you can try the following search:
PS: first two pipes below i.e. makeresults and eval _raware used to mock data as per the question:

| makeresults
| eval _raw="{
Error/type/0 : type_value0
Error/type/1 : type_value1
Error/type/2 : type_value2
Error/desc/0 : desc_value0
Error/desc/1 : desc_value1
Error/desc/2 : desc_value2
Error/logfile/0 : file_value0
Error/logfile/1 : file_value1
Error/logfile/2 : file_value2
Error/type/3 : type_value3
Error/desc/3 : desc_value3
Error/logfile/3 : file_value3
}"
| rex max_match=0 field=_raw "Error/(?<key>\w+)/(?<num>\d+)\s\:\s(?<value>.+)"
| eval num_value=mvzip(num,value)
| mvexpand num_value
| eval num_value=split(num_value,",")
| eval num=mvindex(num_value,0)
| eval value=mvindex(num_value,1)
| table num value
| stats list(value) as value by num
| eval type=mvindex(value,0)
| eval desc=mvindex(value,1)
| eval logfile=mvindex(value,2)
| fields - value

On a similar lines rex and mvzip commands can be replaced with eval with replace and makemv commands.

| eval num_value=replace(replace(replace(jsonData,"Error/\w+/(\d+)\s\:\s(.+)","\1,\2;"),"{",""),"}","")
| makemv delim=";" num_value

This would require one additional pipe in the end after fields - value i.e. 

| fields - value
| where isnotnull(type)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 03:52 PM

Hey @hsingams2, glad you were able to solve your question. If the other users helped make your search more efficient, please "√Accept" their answer to award karma points 🙂 You can also upvote their comments.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-15-2017 01:39 PM

@hsingams2 if the events will have type, desc and logfiles in the same sequence, then you can try the following search:
PS: first two pipes below i.e. makeresults and eval _raware used to mock data as per the question:

| makeresults
| eval _raw="{
Error/type/0 : type_value0
Error/type/1 : type_value1
Error/type/2 : type_value2
Error/desc/0 : desc_value0
Error/desc/1 : desc_value1
Error/desc/2 : desc_value2
Error/logfile/0 : file_value0
Error/logfile/1 : file_value1
Error/logfile/2 : file_value2
Error/type/3 : type_value3
Error/desc/3 : desc_value3
Error/logfile/3 : file_value3
}"
| rex max_match=0 field=_raw "Error/(?<key>\w+)/(?<num>\d+)\s\:\s(?<value>.+)"
| eval num_value=mvzip(num,value)
| mvexpand num_value
| eval num_value=split(num_value,",")
| eval num=mvindex(num_value,0)
| eval value=mvindex(num_value,1)
| table num value
| stats list(value) as value by num
| eval type=mvindex(value,0)
| eval desc=mvindex(value,1)
| eval logfile=mvindex(value,2)
| fields - value

On a similar lines rex and mvzip commands can be replaced with eval with replace and makemv commands.

| eval num_value=replace(replace(replace(jsonData,"Error/\w+/(\d+)\s\:\s(.+)","\1,\2;"),"{",""),"}","")
| makemv delim=";" num_value

This would require one additional pipe in the end after fields - value i.e. 

| fields - value
| where isnotnull(type)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

naidusadanala
Communicator
‎09-15-2017 12:39 PM

Try something like this

|spath input=_raw | stats values(*) as by error(which is unique identifier)

0 Karma
Reply
Solved! Jump to solution

hsingams2
Explorer
‎09-15-2017 12:22 PM

Ok, after a bit of trial and error, I was able to solve this.

However, I am not sure if it's an efficient way. I'm hoping splunk experts on this group weigh in on the solution.

... | rex field=_raw "Error/type/(?\d+)\s*:\s*(?\S+)" max_match=100
| rex field=_raw "Error/desc/\d+\s*:\s*(?\S+)" max_match=100

| rex field=_raw "Error/logfile/\d+\s*:\s*(?\S+)" max_match=100

| eval fields = mvzip(mvzip(mvzip(num,type_value),desc_value),log_value)
| mvexpand fields
| rex field=fields "(?\S+),(?\S+),(?\S+),(?\S+)"
| table _time num type desc logfile

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...