Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search query for a hierachial JSON?

kjubie
New Member
‎08-10-2018 04:34 AM

(I have no experience in Splunk searches)
The question is simple:

I have a JSON like this:

{
    "name": "Testdata",
    "children": [
        {
            "name": "A",
            "children": [
            {
                "name": "A1",   
                "value": 436
            },
            {
                "name": "A2",
                "value": 546
            },
            {
                "name": "A3",
                "value": 223
            },
            {
                "name": "A4",
                "value": 132
            },
            {
                "name": "A5",
                "value": 115
            },
            {
                "name": "A6",
                "value": 96
            }]
        },
        {
            "name": "B",
            "children": [
            {
                "name": "B1",
                "value": 453
            },
            {
                "name": "B2",
                "value": 344
            },
            {
                "name": "B3",
                "value": 35
            },
            {
                "name": "B4",
                "value": 65
            },
            {
                "name": "B5",
                "value": 789
            },
            {
                "name": "B6",
                "value": 648
            },
            {
                "name": "B7",
                "value": 147
            }]
        }
      ]
}

and I want a table like this:

parent    |name   |value
A         |A1     | 436
A         |A2     | 546
...       |..     |..
B         |B1     |443

(Sorry for the bad drawn table)

Thanks for the answers!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-10-2018 06:52 AM

Use spath to parse the json. Here is an example

| makeresults |eval json="{
     \"name\": \"Testdata\",
     \"children\": [
         {
             \"name\": \"A\",
             \"children\": [
             {
                 \"name\": \"A1\",    
                 \"value\": 436
             },
             {
                 \"name\": \"A2\",
                 \"value\": 546
             },
             {
                 \"name\": \"A3\",
                 \"value\": 223
             },
             {
                 \"name\": \"A4\",
                 \"value\": 132
             },
             {
                 \"name\": \"A5\",
                 \"value\": 115
             },
             {
                 \"name\": \"A6\",
                 \"value\": 96
             }]
         },
         {
             \"name\": \"B\",
             \"children\": [
             {
                 \"name\": \"B1\",
                 \"value\": 453
             },
             {
                 \"name\": \"B2\",
                 \"value\": 344
             },
             {
                 \"name\": \"B3\",
                 \"value\": 35
             },
             {
                 \"name\": \"B4\",
                 \"value\": 65
             },
             {
                 \"name\": \"B5\",
                 \"value\": 789
             },
             {
                 \"name\": \"B6\",
                 \"value\": 648
             },
             {
                 \"name\": \"B7\",
                 \"value\": 147
             }]
         }
       ]
 }"
 |spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
 |rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
 |eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
 |mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
 |table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-10-2018 06:52 AM

Use spath to parse the json. Here is an example

| makeresults |eval json="{
     \"name\": \"Testdata\",
     \"children\": [
         {
             \"name\": \"A\",
             \"children\": [
             {
                 \"name\": \"A1\",    
                 \"value\": 436
             },
             {
                 \"name\": \"A2\",
                 \"value\": 546
             },
             {
                 \"name\": \"A3\",
                 \"value\": 223
             },
             {
                 \"name\": \"A4\",
                 \"value\": 132
             },
             {
                 \"name\": \"A5\",
                 \"value\": 115
             },
             {
                 \"name\": \"A6\",
                 \"value\": 96
             }]
         },
         {
             \"name\": \"B\",
             \"children\": [
             {
                 \"name\": \"B1\",
                 \"value\": 453
             },
             {
                 \"name\": \"B2\",
                 \"value\": 344
             },
             {
                 \"name\": \"B3\",
                 \"value\": 35
             },
             {
                 \"name\": \"B4\",
                 \"value\": 65
             },
             {
                 \"name\": \"B5\",
                 \"value\": 789
             },
             {
                 \"name\": \"B6\",
                 \"value\": 648
             },
             {
                 \"name\": \"B7\",
                 \"value\": 147
             }]
         }
       ]
 }"
 |spath input=json|table children{}.name,children{}.children{}.name,children{}.children{}.value
 |rename children{}.children{}.name as grand_child_name,children{}.name as child_name,children{}.children{}.value as grand_child_value
 |eval zipped=mvzip(grand_child_name,grand_child_value)|table child_name,zipped|mvexpand zipped
 |mvexpand child_name|eval x=split(zipped,",")|eval grand_child_name=mvindex(x,0),grand_child_value=mvindex(x,1)
 |table child_name,grand_child_name,grand_child_value|eval match=substr(grand_child_name,0,1)|where child_name==match|fields - match
Happy Splunking!
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2018 10:36 PM

Converted this to an answer because it answers the question with an excellent run-anywhere example.

Reply
Solved! Jump to solution

kjubie
New Member
‎08-13-2018 12:08 AM

Thanks for your help! Works perfectly!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-10-2018 10:46 PM

Thanks @DalJeanis !

Happy Splunking!
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...