Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I display tab spaces in a table?

BearMormont
Path Finder
‎04-13-2019 08:34 AM

Take for example the following query:

| makeresults 
| eval json="{
 \"Name\": \"Sam\",
 \"Details\": [
    \"Occupation\": {
        \"Job\":\"Lawyer\",
        \"Salary\":100000    
    },
    \"Address\": {
        \"City\":\"Los Angeles\",
        \"State\":\"California\"
    }
 ]"

I can get the field "json" to appear in a table with line breaks by adding:

| makemv delim="
 " json
| table json

But the results look like this:

alt text

How do I get the table output to include the tab spaces so the fields are lined up properly in the eval statement?

So for example, the table output should like:

"Name": "Sam",
    "Details": [
        "Occupation": {
        "Job":"Lawyer",
        "Salary":100000
        },
    "Address": {
        "City":"Los Angeles",
        "State":"California"
    }
]

Basically I'd like all of the information indented nicely.

Thanks!

Tags (1)
Preview file
28 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2019 02:31 PM

Just upgrade to 7.2.latest; it will just work; with or without the makemv. See here
alt text

Preview file
155 KB
0 Karma
Reply

BearMormont
Path Finder
‎04-13-2019 04:53 PM

Thanks. In my particular case, I work for a larger organization and use Splunk just as a user, so upgrading isn't as easy for me. Are there any work-arounds for older versions?

0 Karma
Reply

niketn
Legend
‎04-13-2019 10:23 PM

@BearMormont is your search query showing JSON data from _raw event or are you showing it through statistical command?

You can change visualization from Table View to Event View to have proper JSON data formatting. Please refer to one of my older answers where I had added a EventView to Table View drilldown where Table View displayed JSON data as table columns and Event View displayed JSON payload as Event Viewer

https://answers.splunk.com/answers/587044/can-i-custom-code-a-splunk-table-to-include-json-i-1.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

BearMormont
Path Finder
‎04-14-2019 08:15 PM

Hi! Thanks. I did play around with the event view and setting _raw to the json field, and it does format it properly, with a very big "but...".

First, it always has a column for Event Time, which isn't the end of the world but doesn't need to be there and I'd like to remove it. But that's just my pet peeve.

My real issue is the event is by default collapsed, and for larger events I have to click "Show all 47 lines" or however many it has. That is a killer from a usability perspective.

Is there anyway to address those two issues?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-15-2019 08:11 AM

Have you tried making your json field a Selected Field? Does this change anything?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...