Json formatting in dashboard studio

sarit_s6 · ‎06-22-2025

Hello
I have a table in dashboard studio and i want to show a part of the json field which contains sub objects
when running this query :

index="stg_observability_s" AdditionalData.testName=*

sourcetype=SplunkQuality
AdditionalData.domain="*"
AdditionalData.pipelineName="*"
AdditionalData.buildId="15757128291"
AdditionalData.team="*"
testCategories="*"
AdditionalData.status="*"
AdditionalData.isFinalResult="*"
AdditionalData.fullName="***"
| search AdditionalData.testLog.logs{}=*

| spath path="AdditionalData.testLog.logs{}" output=logs
| table logs

the json looks flatten , i dont see the sub objects inside
is there a way to fix it ?
thanks

PickleRick · ‎06-22-2025

1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm).

2. You're using the table command at the end. It creates a summary table which does not do any additional formating. You might try to do

| fields logs
| fields - _raw _time
| rename logs as _raw

instead of the table command and use event list widget instead of table but I'm not sure it will look good.

sarit_s6 · ‎06-23-2025

well... if im removing the table i see the entire event with the real structure, but i want to see only the testlogs.log part
how can i do it ?
using |fields does not help

ITWhisperer · ‎06-22-2025

Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).

sarit_s6 · ‎06-22-2025

 AdditionalData: { [-]
     buildId: 291
     buildUrl: https://github.com
     domain: ***
     env: PreProd
     errorMessage:   Verify live rates color
Assert.That(market.VerifyLiveRatesColor(), is equal to 'true')
  Expected: True
  But was:  False

     fullName: Automation.TestsFolder
     hidden: false
     isFinalResult: true
     maxRetries: 1
     pipelineName: ***
     platform: Backend
     repoUrl: ***
     retry: 1
     stackTrace:    at ***
     status: Failed
     team: ***
     testCategories: [ [+]
     ]
     testClass: Automation.TestsFolder
     testDuration: 00:00:51.763
     testLog: { [-]
       artifacts: { [+]
       }
       logs: [ [-]
         [06/19/2025 11:51:45] Initializing BaseTestUI
         [ [+]
         ]
         [06/19/2025 11:51:47] Initializing EtoroWorkFlows
         [ [+]
         ]

So if im using the query in my post, i don't see the [+] inside logs : .. i see it flat as one event

ITWhisperer · ‎06-22-2025

Please provide the raw event (not the formatted version e.g.

{"AdditionalData": { "buildId":291,

sarit_s6 · ‎06-22-2025

"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":"291","platform":"Backend","buildUrl":"https://github.com/","domain":"***","team":"***","env":"PreProd","status":"Failed","testDuration":"00:00:51.763","retry":1,"maxRetries":1,"isFinalResult":true,"errorMessage":"  Verify live rates color\nAssert.That(market.VerifyLiveRatesColor(), is equal to 'true')\n  Expected: True\n  But was:  False\n","stackTrace":"   ***","triggeredManually":true,"hidden":false,"testLog":{"artifacts":{"Snapshot below: ":"http://www.dummyurl.com"},"logs":["[06/19/2025 11:51:45] Initializing BaseTestUI",["EndTime: 06/19/2025 11:51:47","Duration: 00:00:01.7646422","[06/19/2025 11:51:45] Driver configurations:\r\nIs local run: False\r\n

Json formatting in dashboard studio

Dashboard Studio

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Are you a member of the Splunk Community?

Json formatting in dashboard studio

Dashboard Studio

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025