0

example event

{
  "test": {
   "x": "y",
   "a": "b",
   "code": {
     "one" : {
       "two": {
         "c": "d"
       }
     }
   }
 }
}

how can I extract some parts of code block and present them as table. example

one | c

I have tried putting together a query but not sure how to extract specific fields

| spath
| spath test.code{} output=code
| mvexpand code
user6481062
  • 393
  • 1
  • 4
  • 17
  • Hi User, That is not a valid json doc. and the Spath command is for structured data formats XML and JSON Can you share what this data structure is? – Daniel Price Feb 24 '23 at 11:40
  • You can do something simular to this question. https://stackoverflow.com/questions/71419941/splunk-query-for-javascript-object-to-json-string but you would need to alter it to not have the single brackets around the values and support nested objects. Most likely something is wrong with how your importing the data – Daniel Price Feb 24 '23 at 11:44
  • @DanielPrice Unfortunately I cannot share the data but updated the example with raw data format – user6481062 Feb 27 '23 at 15:26

1 Answers1

1
| makeresults
| eval _raw="{
  \"test\": {
   \"x\": \"y\",
   \"a\": \"b\",
   \"code\": {
     \"one\" : {
       \"two\": {
         \"c\": \"d\"
       }
     }
   }
 }
}"
| spath test.code output=code
| table code
| spath input=code

the key idea here is the input=code, Spath command takes input as an option argument for which field to find the json to extract the values from. Spath link

the results from the example given are:

Results from query

Daniel Price
  • 443
  • 2
  • 12