Tarun
Reputation: 35
Parse JSON array to table in Splunk
I need some help in getting JSON array parsed into a table in splunk. Have below JSON data in splunk
data="[
{
'environment':test,
'name':Java,
'date':28-01-2018
},
{
'environment':prod,
'name':Javascript,
'date':28-01-2019
}
]"
I am expecting an output as
*******************************
Environment | name | date
*******************************
test | Java | 28-01-2018
prod | Javascript | 28-01-2019
Appreciate any help.
Regards
Upvotes: 1
Views: 12999
Answers (2)
Dhana
Reputation: 913
Looks you have to modify you log to have proper JSON structure.
After that you can use spath command to interpret and get the values from JSON. here is the sample solution
| makeresults
| eval _raw="data=\"[{\"environment\":\"test\",\"name\":\"Java\",\"date\":\"28-01-2018\"},{\"environment\":\"prod\",\"name\":\"Javascript\",\"date\":\"28-01-2019\"}]\""
| rex field=_raw "data=\"(?<data>.*)\""
| spath input=data
| table {}.date, {}.environment, {}.name
Upvotes: 2
NickDK
Reputation: 1
It should be fairly simple using spath
your search base |spath input=data
Upvotes: -2
Related Questions
- Splunk Event JSON to Table
- In Splunk, Need to Pull Data from Nested JSON Array in an Array
- How to build a Splunk query that extracts data from a JSON array?
- Splunk : Spath searching the JSON array
- Splunk : Extracting the elements from JSON structure as separate fields
- Splunk query to retrieve value from json log event and get it in a table
- Splunk query to get field from JSON cell
- How to extract fields from JSON string in Splunk
- Querying about field with JSON type value
- Extracting values from json in Splunk using spath