Splunk 6 query format for JSON data

amanteja — Thu, 17 Oct 2013 02:53:43 GMT

We send JSON formatted data into Splunk. On upgrading to Splunk 6 I noticed that selecting the value of a JSON field no longer filters the query with an spath automatically.
For instance if the JSON data was

{
  level : "Info",
  message : "xxxx"
}

and one clicked on "Info"
in Splunk 5 the query would become

index="x" | spath "level" | search "level"="Info"

While in Splunk 6 it becomes

index="x"  Info

Is there a way to retain the behavior of Splunk 5?

Re: Splunk 6 query format for JSON data

rsennett_splunk — Sat, 09 Nov 2013 19:38:53 GMT

What's happened is that the "spath" has become silent as the extractions are now automatic...

click on the field in the fields list rather than the value in the event.
and select the value you want, in this case:
Field: level
Value: info

You should see: level = info in the search box

This now behaves like any other field, regardless of the format of the raw events.

Clicking on the event text also behaves like any other event regardless of the origins. Of course we maintain the JSON formatting for you in the raw view because JSON has the formatting directives...

topic Re: Splunk 6 query format for JSON data in Getting Data In

Splunk 6 query format for JSON data

Re: Splunk 6 query format for JSON data