Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Json formatting in dashboard studio
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Json formatting in dashboard studio
sarit_s6
Engager
06-22-2025
10:05 AM
Hello
I have a table in dashboard studio and i want to show a part of the json field which contains sub objects
when running this query :
index="stg_observability_s" AdditionalData.testName=*
sourcetype=SplunkQuality
AdditionalData.domain="*"
AdditionalData.pipelineName="*"
AdditionalData.buildId="15757128291"
AdditionalData.team="*"
testCategories="*"
AdditionalData.status="*"
AdditionalData.isFinalResult="*"
AdditionalData.fullName="***"
| search AdditionalData.testLog.logs{}=*
| spath path="AdditionalData.testLog.logs{}" output=logs
| table logsthe json looks flatten , i dont see the sub objects inside
is there a way to fix it ?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
06-22-2025
11:41 PM
1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm).
2. You're using the table command at the end. It creates a summary table which does not do any additional formating. You might try to do
| fields logs
| fields - _raw _time
| rename logs as _raw
instead of the table command and use event list widget instead of table but I'm not sure it will look good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s6
Engager
06-23-2025
12:11 AM
well... if im removing the table i see the entire event with the real structure, but i want to see only the testlogs.log part
how can i do it ?
using |fields does not help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-22-2025
11:15 AM
Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s6
Engager
06-22-2025
11:23 AM
AdditionalData: { [-]
buildId: 291
buildUrl: https://github.com
domain: ***
env: PreProd
errorMessage: Verify live rates color
Assert.That(market.VerifyLiveRatesColor(), is equal to 'true')
Expected: True
But was: False
fullName: Automation.TestsFolder
hidden: false
isFinalResult: true
maxRetries: 1
pipelineName: ***
platform: Backend
repoUrl: ***
retry: 1
stackTrace: at ***
status: Failed
team: ***
testCategories: [ [+]
]
testClass: Automation.TestsFolder
testDuration: 00:00:51.763
testLog: { [-]
artifacts: { [+]
}
logs: [ [-]
[06/19/2025 11:51:45] Initializing BaseTestUI
[ [+]
]
[06/19/2025 11:51:47] Initializing EtoroWorkFlows
[ [+]
]
So if im using the query in my post, i don't see the [+] inside logs : .. i see it flat as one event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-22-2025
12:09 PM
Please provide the raw event (not the formatted version e.g.
{"AdditionalData": { "buildId":291,- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s6
Engager
06-22-2025
12:22 PM
"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":"291","platform":"Backend","buildUrl":"https://github.com/","domain":"***","team":"***","env":"PreProd","status":"Failed","testDuration":"00:00:51.763","retry":1,"maxRetries":1,"isFinalResult":true,"errorMessage":" Verify live rates color\nAssert.That(market.VerifyLiveRatesColor(), is equal to 'true')\n Expected: True\n But was: False\n","stackTrace":" ***","triggeredManually":true,"hidden":false,"testLog":{"artifacts":{"Snapshot below: ":"http://www.dummyurl.com"},"logs":["[06/19/2025 11:51:45] Initializing BaseTestUI",["EndTime: 06/19/2025 11:51:47","Duration: 00:00:01.7646422","[06/19/2025 11:51:45] Driver configurations:\r\nIs local run: False\r\n
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
