https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291410#M55547 <P>Have you tried the <CODE>spath</CODE> command:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath">https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath</A></P> Wed, 22 Mar 2017 18:58:11 GMT woodcock 2017-03-22T18:58:11Z https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291409#M55546 <P>Hi. I have an JSON event that has nested arrays of objects within it. </P> <P>In the Search app, it "prettifies" the top level of the JSON event, but does not provide us with a "pretty" form of nested arrays/objects. Unfortunately, the data is sensitive so I cannot provide a screenshot. But basically I'd like to be able to click the +/- sign and drill down into the nested JSON event. Instead, nested JSON is represented by a single string which is difficult to read.</P> <P>I can use spath to extract the nested JSON fields, that's works, but we'd like to be able to explore the JSON in a drill-down fashion within the Search app.</P> <P>I have verified that our JSON is valid. </P> <P>Is there something I need to do to get the GUI to understand nested JSON?</P> <P>Sorry if this question seems vague, just not sure how else to ask.</P> <P>Thanks!</P> Wed, 22 Mar 2017 16:47:27 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291409#M55546 Branden 2017-03-22T16:47:27Z https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291410#M55547 <P>Have you tried the <CODE>spath</CODE> command:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath">https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath</A></P> Wed, 22 Mar 2017 18:58:11 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291410#M55547 woodcock 2017-03-22T18:58:11Z https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291411#M55548 <P>Yes, I mentioned in my question then spath will extract the fields, but we can't drill down within the search app. </P> Wed, 22 Mar 2017 19:45:58 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291411#M55548 Branden 2017-03-22T19:45:58Z https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291412#M55549 <P>you need to adjust your sourcetype at the time of ingestion. I successfully followed ideas from <A href="https://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html">https://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html</A></P> Fri, 14 Apr 2017 18:00:31 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291412#M55549 droopy4096 2017-04-14T18:00:31Z https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291413#M55550 <P>So I found this problem annoying enough to write a custom search command to solve it. Maybe someday the Splunk UI will off an "expand all" feature, making nested JSON structures easier to navigate, but in the meantime this is what I do.</P> <P>I have an app called <A href="https://splunkbase.splunk.com/app/3237/">JMESPath</A> that includes an extra helper search command called <CODE>jsonformat</CODE> that does exactly what you're looking for. If your event is a JSON string, you can just call <CODE>... | jsonformat</CODE> and it will replace the <CODE>_raw</CODE> field (the text of your event) with a formatted JSON string. This can also optionally sort the JSON object, set a custom indentation level, or format json fields (like after calling <CODE>spath</CODE>). There are many possibilities.</P> <P>For more examples and use cases, see the <A href="https://github.com/Kintyre/jmespath/wiki/Command-Reference-jsonformat">jsonformat</A> command reference. </P> Tue, 20 Nov 2018 23:54:27 GMT https://community.splunk.com/t5/Getting-Data-In/Nested-JSON-in-GUI/m-p/291413#M55550 Lowell 2018-11-20T23:54:27Z