Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Json formatting in dashboard studio

sarit_s6
Engager
4 weeks ago

Hello
I have a table in dashboard studio and i want to show a part of the json field which contains sub objects
when running this  query :

index="stg_observability_s" AdditionalData.testName=*

sourcetype=SplunkQuality
AdditionalData.domain="*"
AdditionalData.pipelineName="*"
AdditionalData.buildId="15757128291"
AdditionalData.team="*"
testCategories="*"
AdditionalData.status="*"
AdditionalData.isFinalResult="*"
AdditionalData.fullName="***"
| search AdditionalData.testLog.logs{}=*

| spath path="AdditionalData.testLog.logs{}" output=logs
| table logs

the json looks flatten , i dont see the sub objects inside
is there a way to fix it ? 
thanks 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

1. Ok. You're searching by full json paths which probably means that you're using indexed extractions. This is generally Not Good (tm).

2. You're using the table command at the end. It creates a summary table which does not do any additional formating. You might try to do

| fields logs
| fields - _raw _time
| rename logs as _raw

instead of the table command and use event list widget instead of table but I'm not sure it will look good.

0 Karma
Reply

sarit_s6
Engager
4 weeks ago

well... if im removing the table i see the entire event with the real structure, but i want to see only the testlogs.log part
how can i do it ?
using |fields does not help

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago

Please provide some anonymised sample events which demonstrate the issue you are facing. Ideally, place these in a code block (using the </> formatting option).

0 Karma
Reply

sarit_s6
Engager
4 weeks ago 
 AdditionalData: { [-]
     buildId: 291
     buildUrl: https://github.com
     domain: ***
     env: PreProd
     errorMessage:   Verify live rates color
Assert.That(market.VerifyLiveRatesColor(), is equal to 'true')
  Expected: True
  But was:  False

     fullName: Automation.TestsFolder
     hidden: false
     isFinalResult: true
     maxRetries: 1
     pipelineName: ***
     platform: Backend
     repoUrl: ***
     retry: 1
     stackTrace:    at ***
     status: Failed
     team: ***
     testCategories: [ [+]
     ]
     testClass: Automation.TestsFolder
     testDuration: 00:00:51.763
     testLog: { [-]
       artifacts: { [+]
       }
       logs: [ [-]
         [06/19/2025 11:51:45] Initializing BaseTestUI
         [ [+]
         ]
         [06/19/2025 11:51:47] Initializing EtoroWorkFlows
         [ [+]
         ]

 

So if im using the query in my post, i don't see the [+] inside logs : .. i see it flat as one event

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago

Please provide the raw event (not the formatted version e.g.

{"AdditionalData": { "buildId":291,
0 Karma
Reply

sarit_s6
Engager
4 weeks ago 
"AdditionalData":{"time":"2025-06-19T11:52:37","testName":"CheckLiveRatesTest","testClass":"Automation.TestsFolder","fullName":"Automation.TestsFolder","repoUrl":"***","pipelineName":"***","buildId":"291","platform":"Backend","buildUrl":"https://github.com/","domain":"***","team":"***","env":"PreProd","status":"Failed","testDuration":"00:00:51.763","retry":1,"maxRetries":1,"isFinalResult":true,"errorMessage":"  Verify live rates color\nAssert.That(market.VerifyLiveRatesColor(), is equal to 'true')\n  Expected: True\n  But was:  False\n","stackTrace":"   ***","triggeredManually":true,"hidden":false,"testLog":{"artifacts":{"Snapshot below: ":"http://www.dummyurl.com"},"logs":["[06/19/2025 11:51:45] Initializing BaseTestUI",["EndTime: 06/19/2025 11:51:47","Duration: 00:00:01.7646422","[06/19/2025 11:51:45] Driver configurations:\r\nIs local run: False\r\n
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...