From e57eb277adea6e9e87a9bd39de8424146792ffdd Mon Sep 17 00:00:00 2001 From: Lowell Alleman Date: Fri, 9 Nov 2018 07:59:08 -0500 Subject: [PATCH] Support nested parsing function Closes #6 --- bin/jpath.py | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/bin/jpath.py b/bin/jpath.py index e96b569..18ef230 100644 --- a/bin/jpath.py +++ b/bin/jpath.py @@ -1,4 +1,3 @@ -# Version 1.0 import json import os import sys @@ -11,9 +10,37 @@ sys.path.append(os.path.join(DIR, "lib")) import jmespath +from jmespath import functions from jmespath.exceptions import ParseError, JMESPathError, UnknownFunctionError +# Custom functions for the JMSEPath language to make some typical splunk use cases easier to manage +class JmesPathSplunkExtraFunctions(functions.Functions): + + @functions.signature({'types': ['string', 'array']}) + def _func_parse(self, s): + """ + Possible name options: + parse Nice, but parse what? + from_string Parity with to_string (exports data AS a json string) + from_json? Maybe more clear? not sure + unnest Can't get past the double "n"s + jsonstr My first option, but don't like it. + """ + # XXX: Figure out how to make this properly support (pass-through) a 'null' type + if s is None: + return None + if isinstance(s, (list,tuple)): + return [ json.loads(i) for i in s ] + try: + return json.loads(s) + except: + return s + +jp_options = jmespath.Options(custom_functions=JmesPathSplunkExtraFunctions()) + + + def flatten(container): if isinstance(container, (list, tuple)): for i in container: @@ -26,6 +53,7 @@ def flatten(container): yield str(container) + if __name__ == '__main__': try: keywords, options = si.getKeywordsAndOptions() @@ -58,7 +86,7 @@ def flatten(container): # Invalid JSON. Move on, nothing to see here. continue try: - values = jp.search(json_obj) + values = jp.search(json_obj, options=jp_options) result[outfield] = list(flatten(values)) result[ERROR_FIELD] = None added = True