Re: Json formatting in dashboard studio

sarit_s6 · ‎06-22-2025

Hello
I have a table in dashboard studio and i want to show a part of the json field which contains sub objects
when running this query :

index="stg_observability_s" AdditionalData.testName=*

sourcetype=SplunkQuality
AdditionalData.domain="*"
AdditionalData.pipelineName="*"
AdditionalData.buildId="15757128291"
AdditionalData.team="*"
testCategories="*"
AdditionalData.status="*"
AdditionalData.isFinalResult="*"
AdditionalData.fullName="***"
| search AdditionalData.testLog.logs{}=*

| spath path="AdditionalData.testLog.logs{}" output=logs
| table logs

the json looks flatten , i dont see the sub objects inside
is there a way to fix it ?
thanks

PickleRick · ‎06-22-2025

1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm).

2. You're using the table command at the end. It creates a summary table which does not do any additional formating. You might try to do

| fields logs
| fields - _raw _time
| rename logs as _raw

instead of the table command and use event list widget instead of table but I'm not sure it will look good.

sarit_s6 · ‎06-23-2025

well... if im removing the table i see the entire event with the real structure, but i want to see only the testlogs.log part
how can i do it ?
using |fields does not help

ITWhisperer · ‎06-22-2025

Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).

sarit_s6 · ‎06-22-2025

 AdditionalData: { [-]
     buildId: 291
     buildUrl: https://github.com
     domain: ***
     env: PreProd
     errorMessage:   Verify live rates color
Assert.That(market.VerifyLiveRatesColor(), is equal to 'true')
  Expected: True
  But was:  False

     fullName: Automation.TestsFolder
     hidden: false
     isFinalResult: true
     maxRetries: 1
     pipelineName: ***
     platform: Backend
     repoUrl: ***
     retry: 1
     stackTrace:    at ***
     status: Failed
     team: ***
     testCategories: [ [+]
     ]
     testClass: Automation.TestsFolder
     testDuration: 00:00:51.763
     testLog: { [-]
       artifacts: { [+]
       }
       logs: [ [-]
         [06/19/2025 11:51:45] Initializing BaseTestUI
         [ [+]
         ]
         [06/19/2025 11:51:47] Initializing EtoroWorkFlows
         [ [+]
         ]

So if im using the query in my post, i don't see the [+] inside logs : .. i see it flat as one event

ITWhisperer · ‎06-22-2025

Please provide the raw event (not the formatted version e.g.

{"AdditionalData": { "buildId":291,

sarit_s6 · ‎06-22-2025

"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":"291","platform":"Backend","buildUrl":"https://github.com/","domain":"***","team":"***","env":"PreProd","status":"Failed","testDuration":"00:00:51.763","retry":1,"maxRetries":1,"isFinalResult":true,"errorMessage":"  Verify live rates color\nAssert.That(market.VerifyLiveRatesColor(), is equal to 'true')\n  Expected: True\n  But was:  False\n","stackTrace":"   ***","triggeredManually":true,"hidden":false,"testLog":{"artifacts":{"Snapshot below: ":"http://www.dummyurl.com"},"logs":["[06/19/2025 11:51:45] Initializing BaseTestUI",["EndTime: 06/19/2025 11:51:47","Duration: 00:00:01.7646422","[06/19/2025 11:51:45] Driver configurations:\r\nIs local run: False\r\n

Json formatting in dashboard studio

Dashboard Studio

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation