Getting Data In

How to extract a specific key and its values in a table?

nithyashreea
New Member

Hello I'm new to splunk search commands,
My event is like

ObjectID: 001
Properties: [ [ -]
{[-]
 Name: targetName
 Value: sample 1       
}
{
}
{
}
]

I want to display result set in table where ObjectID and targetName should be a column. Here, targetName is the key and it has multiples values such as sample1 or sample2 or sample3.
Can you please help me display the table?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hello @nithyashreea,
If you have valid JSON please check xpath command.

0 Karma

woodcock
Esteemed Legend

I agree with the others, post an ACTUAL event in code markup and a mockup of your desired output.

0 Karma

niketn
Legend

Sorry this is not a valid JSON. Also use code button on Splunk Answers. Since answer to your question would be dependent on the JSON structure. Based on the details provided, does it look like the following?

{
    "ObjectID":"001",
    "Properties":[{
        "name":"targetName",
        "value":"sample1"
    },
    {
        "name":"targetClass",
        "value":"class1"
    },
    {
        "name":"targetApp",
        "value":"App1"
    }]
}

Even if it did, you will have multi-valued fields. for Name and Value. Try the following partial query that generates the data as per the question (multivalued though😞

| makeresults 
| eval _raw="{
    \"ObjectID\": \"001\",
    \"Properties\":[{
        \"name\":\"targetName\",
        \"value\":\"sample1\"
        },{
        \"name\":\"targetClass\",
        \"value\":\"class1\"
        },{
        \"name\":\"targetApp\",
        \"value\":\"App1\"
        }],
}" 
| append 
    [| makeresults 
    | eval _raw="{
    \"ObjectID\": \"002\",
    \"Properties\":[{
        \"name\":\"targetName\",
        \"value\":\"sample2\"
            },{
        \"name\":\"targetClass\",
        \"value\":\"class2\"
            },{
        \"name\":\"targetApp\",
        \"value\":\"App2\"
            }],
}"] 
| spath 
| fields - _time _raw 

Since it results in multi-valued field which you have not reported in your question, there are couple of more steps I have used to convert them to single value. Append the following search query to the above to get single value Properties Name and Value:

| eval zip=mvzip('Properties{}.name','Properties{}.value') 
| fields - "Properties{}.name" "Properties{}.value" 
| mvexpand zip 
| makemv zip delim="," 
| eval "Properties{}.name"=mvindex(zip,0), "Properties{}.value"=mvindex(zip,1) 
| fields - zip

Finally, through xyseries you should be able to create Fields targetApp, targetClass and targetName fields:

| xyseries ObjectID Properties.name Properties.value

Please try out the example and confirm. If it does not solve your issue, like stated before please share the JSON file sample data (mask/anonymize any sensitive information).

Following is the combined run anywhere search query:

| makeresults 
| eval _raw="{
    \"ObjectID\": \"001\",
    \"Properties\":[{
        \"name\":\"targetName\",
        \"value\":\"sample1\"
        },{
        \"name\":\"targetClass\",
        \"value\":\"class1\"
        },{
        \"name\":\"targetApp\",
        \"value\":\"App1\"
        }],
}" 
| append 
    [| makeresults 
    | eval _raw="{
    \"ObjectID\": \"002\",
    \"Properties\":[{
        \"name\":\"targetName\",
        \"value\":\"sample2\"
            },{
        \"name\":\"targetClass\",
        \"value\":\"class2\"
            },{
        \"name\":\"targetApp\",
        \"value\":\"App2\"
            }],
}"] 
| spath 
| fields - _time _raw 
| eval zip=mvzip('Properties{}.name','Properties{}.value') 
| fields - "Properties{}.name" "Properties{}.value" 
| mvexpand zip 
| makemv zip delim="," 
| eval "Properties{}.name"=mvindex(zip,0), "Properties{}.value"=mvindex(zip,1) 
| fields - zip
| xyseries ObjectID Properties.name Properties.value
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@nithyashreea a valid json structure would help community experts assist you better. Please use the Code button (101010) or shortcut Ctrl+K while posting the JSON so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nithyashreea
New Member

Hi my raw text looks like this
ObjectID:001 | Properties{}.Name=targetName Properties{}.Name=targetClass Properties{}.Name=targetApp|
Properties{}.Value=sample1 Properties{}.Value=class1 Properties{}.Value=App1 |
Hope this gives you an idea.

0 Karma

jnudell_2
Builder

You can also put a backtick character

`
before and after the code you want to display.

0 Karma

amitm05
Builder

Can you mention how this event is getting processed in fields, especially the Name:targetname along with its values??

0 Karma

nithyashreea
New Member

If I add the fields in search, it is processed as
"Properties{}.Name"=targetName
"Properties{}.Value"="sample1"
There are many such Property names and values, but I have to fetch only the property with name "targetName" and its value (which is sample1 in this case).

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...