Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expand json messages by default?

amanteja
Path Finder
‎09-18-2013 09:54 PM

We have json data being fed into splunk. How can I instruct Splunk to show me the JSON object expanded by default. If default expansion is not possible can I query such that the results are expanded. Right now they are collapsed and I have to click to get to the Json fields I want

Labels (1)
Labels
Tags (2)
Reply

woodcock
Esteemed Legend
‎05-06-2019 03:36 PM

At the top of your search results are field names, above the Time field name is a paintbrush with the word Format next to it. Click on this and select All lines for the Max Lines setting and Full for the Click Selection setting. Enjoy.

0 Karma
Reply

rokxer
Explorer
‎11-30-2022 06:16 AM

I tried on version 8.2.6.1 and it has no effect on json events. They keep being collapsed.

I am searching for a global way either, but cannot find any documentation.

Reply

SrividhyaB
Engager
‎12-07-2023 09:26 AM

Did anyone find solution for this ? The mentioned solutions doesnt seem to work

0 Karma
Reply

patkujawa_wf
Engager
‎12-14-2018 07:15 AM

As a user without admin access, I settled on this client-only solution. Create a bookmarklet with this javascript (might need tweaking of the class in the future, but you can inspect the plus sign to see what it should be):

javascript:document.querySelectorAll('a.jsexpands').forEach(function(expander) {expander.click();});

chrome dev tools focused on the plus sign

Reply

emceeMC
Engager
‎11-07-2022 04:22 PM

This is awesome. Thank you 🙂 

0 Karma
Reply

andrewzuehlke
Explorer
‎02-13-2019 05:09 AM

After opening a case with Splunk to find a method that will work without changing a Global setting, we settled on using this option; thanks! We made a slight modification to your JavaScript to account for multiple levels of JSON; if you are interested, the code is:

javascript:for(i=0;i<=3;i=i+1){document.querySelectorAll('a.jsexpands').forEach(function(expander) {expander.click();});}

Reply

woodcock
Esteemed Legend
‎07-17-2019 04:45 PM

VERY COOL!

0 Karma
Reply

stevesmoot
Explorer
‎03-23-2018 11:53 AM

Checking if [+] was found fixes the table view issue:

<script>
   function autoExpand(){
       // console.log("autoExpand started");                                                                                                                  
       var found = false;
       $(document).ready(function() {
           $(".jsexpands").each(function() {
               if($(this).html() == '[+]') {
                   found=true;
                   $(this)[0].click();
               }
           });
       });

       if (found) {setTimeout(function(){         $('.modalize-table-overlay').click();       }, 500);}
       //console.log("autoExpand complete");                                                                                                                  
   }
  // select the target node                                                                                                                                   
  var target = document.body;

  // create an observer instance                                                                                                                              
  var observer = new MutationObserver(function(mutations) {
      autoExpand();
  });

  // configuration of the observer:                                                                                                                           
  var config = { attributes: true, childList: true, characterData: true, subtree:true};

  // pass in the target node, as well as the observer options                                                                                                 
  observer.observe(target, config);
</script>
Reply

andrewzuehlke
Explorer
‎12-07-2018 06:25 AM

Is there a way to apply this script to a specific app instead of on a global level?

0 Karma
Reply

D2SI
Communicator
‎07-17-2019 02:40 PM

Yes, just upload it is the /appserver/static folder of your app as a *.js file after having removed '

0 Karma
Reply

stevesmoot
Explorer
‎03-20-2018 05:41 PM

Breaks in table view though (closes a table you've expanded)

0 Karma
Reply

brentryan
Explorer
‎12-16-2013 07:55 PM

spath doesn't work for this. I just want to be able to view the splunk results from my queries and I don't want to click on [+] sign for every json object/array within my log just to see what's in it.

Reply

brentryan
Explorer
‎12-16-2013 07:45 PM 
function autoExpand(){
    //console.log("autoExpand started");
    $(document).ready(function() {
        $(".Prop > a.showinline").each(function() {
            if($(this).html() == '[+]') {
                $(this)[0].click();
            }
        });
    });
    //console.log("autoExpand complete");
}

// select the target node
var target = document.body;

// create an observer instance
var observer = new MutationObserver(function(mutations) {
    autoExpand();
});

// configuration of the observer:
var config = { attributes: true, childList: true, characterData: true, subtree:true};

// pass in the target node, as well as the observer options
observer.observe(target, config);
Reply

rcordova_resona
Engager
‎06-30-2017 07:03 AM

Thank you brentryan. We are on 6.x and having this issue with second level nested json keys. We did contact Splunk support, who pointed us here but could not instruct where to place this js. We do have a feature request in now (SPL-142795).

Meanwhile, for newer versions (we are on 6.x) the code below works when placed into /opt/splunk/share/splunk/search_mrsparkle/templates/pages/base.html

<script>
 function autoExpand(){
     //console.log("autoExpand started");
     $(document).ready(function() {
         $(".jsexpands").each(function() {
             if($(this).html() == '[+]') {
                 $(this)[0].click();
             }
         });
     });
     setTimeout(function(){
        $('.modalize-table-overlay').click();
      }, 500);
     //console.log("autoExpand complete");
 }
// select the target node
 var target = document.body;

 // create an observer instance
 var observer = new MutationObserver(function(mutations) {
     autoExpand();
 });

 // configuration of the observer:
 var config = { attributes: true, childList: true, characterData: true, subtree:true};

 // pass in the target node, as well as the observer options
 observer.observe(target, config);
</script>
0 Karma
Reply

zhatsispgx
Path Finder
‎07-26-2017 11:13 AM

^ this worked for me. thanks!

0 Karma
Reply

zhatsispgx
Path Finder
‎07-26-2017 11:14 AM

also note, if you want to expand json data in dashboards you will need to add this to /opt/splunk/share/splunk/search_mrsparkle/templates/pages/dashboard.html

0 Karma
Reply

somesoni2
Revered Legend
‎12-16-2013 10:55 AM

You can use "spath" command to extract/expand all the fields in the json data. "index=xxxx sourcetype=yyyyy| spath"

0 Karma
Reply

brentryan
Explorer
‎12-16-2013 08:38 AM

Anyone ever solve this?

0 Karma
Reply

amanteja
Path Finder
‎09-19-2013 08:12 PM

Any way to do this? Could someone please clarify?

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...