topic Re: How to create sample JSON data and display it in a tree structure? in Splunk Search

How to create sample JSON data and display it in a tree structure?

LearningGuy — Fri, 18 Apr 2025 16:01:40 GMT

Hello,
How to create sample JSON data and display it in tree structure?
I used makeresults to create sample JSON data below

| makeresults 
| eval data = "{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

The search result is below.

My expected output is below. I have the option to select "list" from the drop down, but this option is only available if I import the data to an index. Please help. Thanks

JSON data:

{ "name": "John Doe", "age": 30, "address": { "street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345" }, "interests": [ "reading", "hiking", "coding" ] }

Re: How to create sample JSON data and display it in a tree structure?

livehybrid — Fri, 18 Apr 2025 16:05:29 GMT

Hi @LearningGuy

When using makeresults which is a report-generating command you get a table output.

When I want to get a JSON tree view you need it to be an eventbased output, I use this little tricky to get an event and then override with eval _raw like this:

index=_internal | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: How to create sample JSON data and display it in a tree structure?

LearningGuy — Fri, 18 Apr 2025 17:49:36 GMT

Hello @livehybrid

If I literally used your query, I got no result, but if I changed the index name to one of my existing indexes, I got the same output.
1. Should I use one of my existing indexes for testing? (As I am not an admin, I don't have the ability to import JSON and create an index)
2. How do I create a summary index in JSON format with a tree structure?
Thank you so much for your help

Re: How to create sample JSON data and display it in a tree structure?

ITWhisperer — Fri, 18 Apr 2025 18:15:35 GMT

Not being admin, you might not have access to _internal which is why you get no events which you can override the _raw field. So, yes, try using one of the indexes you do have access to (with a corresponding timeframe so that you find at least 1 event).

Assuming you have access/permissions, you can add to a summary index with the collect command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

Re: How to create sample JSON data and display it in a tree structure?

LearningGuy — Fri, 18 Apr 2025 18:41:26 GMT

Hi @ITWhisperer

Will a JSON format with a tree structure be supported if I create a summary index using a Splunk report?
The Splunk report automatically generated summary index using the "summaryindex" command , rather than the "collect" command.

According to the documentation you sent, using output_format=hec to get JSON-formatted output.

Thank you

Re: How to create sample JSON data and display it in a tree structure?

livehybrid — Fri, 18 Apr 2025 18:52:40 GMT

Hi @LearningGuy
Ah yes you do need access to the index you search but it can be any index.

You might actually be able to use the "windbag" command instead like this:

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: How to create sample JSON data and display it in a tree structure?

livehybrid — Fri, 18 Apr 2025 19:00:41 GMT

Hi @LearningGuy

Yes you can use output_mode=hec - see below:

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | eval source="answersDemo" | collect index=main output_format=hec

Then when I search index=main source=answersDemo:

Note - you need to ensure you have the run_collect capability for your role and also access to the index you are collecting in to.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: How to create sample JSON data and display it in a tree structure?

LearningGuy — Fri, 18 Apr 2025 19:28:46 GMT

Hi @livehybrid

The windbag command worked just fine, but the collect command did not work.
How do I use collect command in the Splunk report that appended |summaryindex automatically?

Perhaps screenshot below will explain better. Thank you for your help

I have a Splunk report that generates summary index daily

The search query will be

index=summary report=json_test

When the report run daily, the search will be appended with "| summary index" command below:

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | summaryindex spool=t uselb=t addtime=t index="summary" file="RMD[random characters].stash_new" name="json_test" marker="hostname=\"https://aa.test.com/\",report=\"json_test\"