https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407500#M72259 <P>No, it is exactly what I want. I already have INDEXED_EXTRACTIONS. I can search first-level fields just fine. But some of these fields are of type JSON object. Example:</P> <PRE><CODE> { "field1": "stringValue", "field2": [ { "field2_field1": 20 } ] } </CODE></PRE> <P>How do I search field2_field1 without doing <CODE>spath</CODE>?</P> Thu, 17 Jan 2019 22:47:07 GMT Motoko89 2019-01-17T22:47:07Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407497#M72256 <P>Hi all, I have JSON events with complex properties, aka nested JSON objects. I know how to apply <CODE>spath</CODE> and create <CODE>macro</CODE>. But I want to apply the macro automatically to the <CODE>sourcetype</CODE>. Something similar to automatic lookup. How do I do this? Thanks,</P> <P>EDIT:<BR /> I already have INDEXED_EXTRACTIONS. I can search first-level fields just fine. But some of these fields are of type JSON object. Example:</P> <PRE><CODE> { "field1": "stringValue", "field2": [ { "field2_field1": 20 } ] } </CODE></PRE> <P>How do I search <CODE>field2_field1</CODE> value without doing <CODE>spath</CODE>?</P> Wed, 16 Jan 2019 23:16:50 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407497#M72256 Motoko89 2019-01-16T23:16:50Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407498#M72257 <P>Hi,</P> <P>Question title and descriptions bit misleading, please find below comment based on Question title <STRONG>Apply spath automatically to a sourcetype with nested JSON</STRONG></P> <P>If you only want to apply <CODE>spath</CODE> to extract all fields from Nested JSON then I'll suggest to ingest data with JSON extractions.</P> <P>If you are forwarding data from Universal Forwarder then use below configurations on UF.</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] INDEXED_EXTRACTIONS = JSON </CODE></PRE> Thu, 17 Jan 2019 10:19:29 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407498#M72257 harsmarvania57 2019-01-17T10:19:29Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407499#M72258 <P>Hi,<BR /> Please find the accepted answers in below link on splunk answers, this might help you:<BR /> <A href="https://answers.splunk.com/answers/202023/is-it-possible-to-create-a-macro-to-do-this.html">https://answers.splunk.com/answers/202023/is-it-possible-to-create-a-macro-to-do-this.html</A> </P> Thu, 17 Jan 2019 11:03:43 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407499#M72258 nikita_p 2019-01-17T11:03:43Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407500#M72259 <P>No, it is exactly what I want. I already have INDEXED_EXTRACTIONS. I can search first-level fields just fine. But some of these fields are of type JSON object. Example:</P> <PRE><CODE> { "field1": "stringValue", "field2": [ { "field2_field1": 20 } ] } </CODE></PRE> <P>How do I search field2_field1 without doing <CODE>spath</CODE>?</P> Thu, 17 Jan 2019 22:47:07 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407500#M72259 Motoko89 2019-01-17T22:47:07Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407501#M72260 <P>Hi, I don't think it does. Please see my edit</P> Thu, 17 Jan 2019 22:52:09 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407501#M72260 Motoko89 2019-01-17T22:52:09Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407502#M72261 <P>I have ingested above sample data in my lab environment with <CODE>INDEXED_EXTRACTIONS = JSON</CODE> and it extracted nested JSON as well with field name <CODE>field2{}.field2_field1</CODE></P> <P>To access this field easily for further usage in stats or any other command it will be good to rename it like <CODE>| rename field2{}.* as *</CODE> and after that you will able to see field called <CODE>field2_field1</CODE> in Interesting fields.</P> Fri, 18 Jan 2019 09:01:04 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407502#M72261 harsmarvania57 2019-01-18T09:01:04Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407503#M72262 <P>Thanks! This works for me</P> Fri, 25 Jan 2019 22:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407503#M72262 Motoko89 2019-01-25T22:30:49Z https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407504#M72263 <P>The other way is to props.conf on your search head(s) with:</P> <PRE><CODE>[YourSourcetypeHere] KV_MODE = json </CODE></PRE> Sat, 26 Jan 2019 18:30:36 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-spath-automatically-to-a-sourcetype-with-nested-JSON/m-p/407504#M72263 woodcock 2019-01-26T18:30:36Z