0
Object{1}
  ->a{4}
     col1: "1"
     col2: "2"
     col3: "3"
     col3: "4"
  ->b[2]
     0{2}
      col5: "55"
      col6: "66"
     1{2}
       col5: "5555"
       col6: "6666"

I want to query in the Splunk such that I can obtain the above result I was able to get the a-> col1,col2,col3,col4 to be displayed in table .

But wanted to check how I do it for the array :

Kasis Shrestha
  • 75
  • 5
  • 2
    What does the raw data look like? Is it json or some other format? Could you provide a mock-up of the desired output table using values from the same example of the raw data? The notation you used does not look like a common format. – dskrypa Feb 02 '23 at 01:00
  • I Just wanted to show you the visual presentation of how the data looked like from https://codebeautify.org/string-to-json-online. Underlying data is the raw format is something like : {"a":{"col1":"1",{col2":"2"}}}} – Kasis Shrestha Feb 02 '23 at 15:59
  • 1
    Splunk does not have "arrays". It has multivalue fields, but not arrays. – warren Feb 02 '23 at 16:07

1 Answers1

0

Splunk doesn't have arrays, but there are multivalues fields in Splunk. Here I think you can use spath.

| makeresults 
|eval data ="{\"a\":{\"col1\":\"1\",\"col2\":\"2\",\"col3\":\"3\",\"col4\":\"4\"},\"b\":{\"0\":{\"col5\":\"55\",\"col6\":\"66\"},\"1\":{\"col5\":\"5555\",\"col6\":\"6666\"}}}"
| spath input=data
| table a.*
Chandika
  • 93
  • 1
  • 8