小贝子编程

在Splunk中,需要从数组中的嵌套JSON数组中提取数据



我有一些数据是数组中的数组。如果方便的话,在StopData中只会有一个嵌套数组。

{
"Name": "ExceptionLogs",
"Id": "Id1",
"StopData": [
[
{
"level": "ERROR",
"code": "UCV019",
"description": "Invalid port type",
"detail": "100000 Mbps"
},
{
"level": "WARN",
"code": "UCV023",
"description": "Unrecognized key for config option",
"detail": "sourceSystemProductName"
}
]
]
}

我想有一个表,级别,代码,描述和细节对象的字段。还有,这是一排splunk。在许多行中,Id字段将是不同的。数组中可以有很多元素。我想把所有的行放在一个长表中。

Id  level code   description         detail
--- ----- ----   -----------         ------
Id1 ERROR UCV019 Invalid port type   100000 Mbps
Id1 WARN  UCV023 Unrecognized key... sourceSystemProductName
Id2 ERROR UCL013 Invalid Config      334115687

我试着搜索和搜索,但我无法拼凑任何显示任何数据的东西。

备选答案,与Richg的答案相似这解决了一个问题,如果你需要在json列表中提取的任何字段不存在于每个元素中,它们将无法正确提取。

这也避免了MVZIP,这可能是一个噩梦,添加更多的字段提取并适用于json列表中的所有字段

| spath 
| spath StopData{}{} output=StopData
| mvexpand StopData
| spath input=StopData
| fields - StopData _raw _time

示例1:

| makeresults 
| eval _raw="{
"Name": "ExceptionLogs",
"Id": "Id1",
"StopData": [
[
{
"level": "ERROR",
"code": "UCV019",
"description": "Invalid port type",
"detail": "100000 Mbps"
},
{
"level": "WARN",
"code": "UCV023",
"description": "Unrecognized key for config option",
"detail": "sourceSystemProductName",
"test":"123"
}
]
]
}"

示例2:

| makeresults 
| eval _raw="{
"Name": "ExceptionLogs",
"Id": "Id1",
"StopData": [
[
{
"level": "ERROR",
"code": "UCV019",
"description": "Invalid port type",
"detail": "100000 Mbps"
},
{
"level": "WARN",
"code": "UCV023",
"description": "Unrecognized key for config option",
"detail": "sourceSystemProductName",
"test":"123"
},
{
"level": "INFO",
"code": "UCV021",
"description": "Price key for config option",
"detail": "sourceSystemProductPrice",
"test":"456"
}
]
]
}"

这将有助于了解您尝试了哪些搜索,以便我们可以帮助您了解为什么没有得到结果。

spath命令开始,将JSON数据解析为字段。这将为每个Id提供几个多值字段。如果我们只有一个多值字段,那么我们将使用mvexpand将其分解为单独的事件,但这不适用于多个字段。为了解决这个问题,使用mvzip将所有多值字段合并为单个多值字段,然后展开并解压缩它。

试试这个随处运行的示例查询。

| makeresults | eval _raw="{
"Name": "ExceptionLogs",
"Id": "Id1",
"StopData": [
[
{
"level": "ERROR",
"code": "UCV019",
"description": "Invalid port type",
"detail": "100000 Mbps"
},
{
"level": "WARN",
"code": "UCV023",
"description": "Unrecognized key for config option",
"detail": "sourceSystemProductName"
}
]
]
}" 
```Everything above is just test data.  Don't use IRL```
```Parse the JSON```
| spath 
```Simplify the field names```
| rename "StopData{}{}.*" as *
```Combine the multi-value fields```
| eval deets=mvzip(level,mvzip(code, mvzip(description,detail)))
```Create separate events for the fields in each Id```
| mvexpand deets
```Unzip the multi-value fields```
| eval deets=split(deets,",")
| eval level=mvindex(deets,0), code=mvindex(deets,1), description=mvindex(deets,2), detail=mvindex(deets,3)
```Display the results```
| table Id level code   description         detail

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium