Zip values from JSON.

sandeepmakkena · ‎09-16-2019

I want to get the total units by PartNumber. I tried using spath but it didnt work maybe I am doing something wrong, this is my 1st time work with Json bodies in Splunk, can someone help. Thanks.

{ [-]
app: { [+]
}
dtm: 2019-09-16 11:21:30.780 PDT
logger: transaction.com.WEB_ORDER_CREATE
msg: { [-]
data: { [-]
cartId: 00000000-784f-642d-d000-0000784f142d
casId: a493ff7e-2d87-416c-ba08-0663107e958c
clientSubType: web.common
clientType: web
cosId: 80f1a259-7187-4f01-9c85-acd7e054233d
deliveryGroup: SINGLE_ADDRESS
features: [ [-]
crd
]
fraudDecision: NF
lineItems: [ [-]
{ [-]
commitCode: 0
deliveryDate: Wed, Sep 18
deliveryType: STH
partNumber: MRYR2LL/A
product: Phone 64GB Black
qty: 2
resolvedDate: Wed, Sep 18
shipMethodCode: E2
}
{ [-]
commitCode: 0
deliveryDate: Within 5 days after shipping
deliveryType: STH
partNumber: MRW62ZM/A
product: Phone Case
qty: 1
resolvedDate: In Stock
shipMethodCode: UG
}
]
ops.response: SUCCEEDED
orderType: order
payments: [ [+]
]
pssId: Wb90d652a55994842b0474288ba0dea76
remoteHost: 17.123.345
storeFront: { [+]
}
webOrderNumber: W12345678
}
headerData: { [+]
}
}
}

poete · ‎10-08-2019

Hello @sandeepmakkena,

please find below the query that results in a table containing the number of partNumber per qty.

|makeresults|eval _raw="{
    \"app\": {
        \"foo1\": \"bar1\"
    },
    \"dtm\": \"2019-09-16 11:21:30.780 PDT\",
    \"logger\": \"transaction.com.WEB_ORDER_CREATE\",
    \"msg\": {
        \"data\": {
            \"cartId\": \"00000000-784f-642d-d000-0000784f142d\",
            \"casId\": \"a493ff7e-2d87-416c-ba08-0663107e958c\",
            \"clientSubType\": \"web.common\",
            \"clientType\": \"web\",
            \"cosId\": \"80f1a259-7187-4f01-9c85-acd7e054233d\",
            \"deliveryGroup\": \"SINGLE_ADDRESS\",
            \"features\": [\"crd\"],
            \"fraudDecision\": \"NF\",
            \"lineItems\": [{
                    \"commitCode\": 0,
                    \"deliveryDate\": \"Wed, Sep 18\",
                    \"deliveryType\": \"STH\",
                    \"partNumber\": \"MRYR2LL/A\",
                    \"product\": \"Phone 64GB Black\",
                    \"qty\": 2,
                    \"resolvedDate\": \"Wed, Sep 18\",
                    \"shipMethodCode\": \"E2\"
                },
                {
                    \"commitCode\": 0,
                    \"deliveryDate\": \"Within 5 days after shipping\",
                    \"deliveryType\": \"STH\",
                    \"partNumber\": \"MRW62ZM/A\",
                    \"product\": \"Phone Case\",
                    \"qty\": 1,
                    \"resolvedDate\": \"In Stock\",
                    \"shipMethodCode\": \"UG\"
                }
            ],
            \"ops.response\": \"SUCCEEDED\",
            \"orderType\": \"order\",
            \"payments\": [{
                \"foo2\": \"bar2\"
            }],
            \"pssId\": \"Wb90d652a55994842b0474288ba0dea76\",
            \"remoteHost\": \"17.123.345\",
            \"storeFront\": {
                \"foo3\": \"bar3\"
            },
            \"webOrderNumber\": \"W12345678\"
        },
        \"headerData\": {
            \"foo4\": \"bar4\"
        }
    }
}"|spath |rename msg.data.lineItems{}.partNumber as partNumber msg.data.lineItems{}.qty as qty |table partNumber, qty| eval x=mvzip(partNumber, qty)|table x |mvexpand x
  | eval x = split(x,",")|eval partNumber = mvindex(x,0)|eval qty=mvindex(x,1)|table partNumber,qty

kamlesh_vaghela · ‎09-16-2019

@sandeepmakkena

Can you please share valid JSON event into code block?

Zip values from JSON.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk