Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse JSON with multiple array ?

jegron
New Member
‎07-31-2019 05:47 AM

Hi,

Here is a sample :

{   
     columnNames:   [
          usersession.city  
          Browser   
          name  
          count(duration)   
          median(duration)  
    ]   
     extrapolationLevel:     1  
     values:    [
        [   
         City1
         Browser1
         URL1   
         1  
         4795   
        ]   
        [
         City2
         Browser2
         URL2   
         1  
         9761   
        ]   
    ]   
}

How to parse it into a table or chart ? I tried some request with spath command without success.

Thanks in advance for your help.

0 Karma
Reply

Sukisen1981
Champion
‎07-31-2019 10:04 AM

try this : 

| makeresults | eval payload="{    
        columnNames:    [
           usersession.city    
           Browser    
           name    
           count(duration)    
           median(duration)    
       ]    
        extrapolationLevel:     1    
        values:    [
         [    
            City1
            Browser1
            URL1    
            1    
            4795    
         ]    
         [
            City2
            Browser2
            URL2    
            1    
            9761    
         ]    
       ]    
 }
" 
|  rex field=payload "(?ms)values\:+\s+\[+\s+(?<value>.*?)\]+\s+}" max_match=0 
| eval k=split(value,"]")| fields k 
|  fields - _time
| mvexpand k
| makemv delim=" " k
| eval usersession.city =mvindex(k,2)
| eval Browser=mvindex(k,3)
| eval name=mvindex(k,4)
| eval count(duration)=mvindex(k,6)
| eval median(duration)=mvindex(k,8)

NOTE : You might need to tinker with the values of the last 5 mvindex. Since i kinda copied from your text, count duration should ideally be mvindex(5) but I received a blank and hence switched to the next higher number. Try this code as is first and see the output.

0 Karma
Reply

Sukisen1981
Champion
‎08-19-2019 08:12 AM

hi @jegron

Please let us know if your issue has been resolved and accept the answer if it significantly helped your resolution. Do not forget to add additional resolution details for the benefit of other form members.

0 Karma
Reply

jaime_ramirez
Communicator
‎07-31-2019 09:33 AM

Hi

I tried to parse the sample without success. Are you sure the sample complies the rules for JSON formatting like the following?

{    
        "columnNames":  [
           "usersession.city",    
           "Browser",    
           "name",    
           "count(duration)",    
           "median(duration)"  
       ],    
        "extrapolationLevel":     1,   
        "values":    [
         [    
            "City1",
            "Browser1",
            "URL1",    
            1,    
            4795    
         ],    
         [
            "City2",
            "Browser2",
            "URL2",    
            1,    
            9761    
         ]    
       ]    
 }
0 Karma
Reply

jegron
New Member
‎08-01-2019 12:44 AM

Yes, I copy pasted the Splunk visualization but the raw have the quotation mark like in your post.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...