Getting Data In

Expand json messages by default

Path Finder

We have json data being fed into splunk. How can I instruct Splunk to show me the JSON object expanded by default. If default expansion is not possible can I query such that the results are expanded. Right now they are collapsed and I have to click to get to the Json fields I want

Tags (2)

Esteemed Legend

At the top of your search results are field names, above the Time field name is a paintbrush with the word Format next to it. Click on this and select All lines for the Max Lines setting and Full for the Click Selection setting. Enjoy.

0 Karma

Engager

As a user without admin access, I settled on this client-only solution. Create a bookmarklet with this javascript (might need tweaking of the class in the future, but you can inspect the plus sign to see what it should be):

javascript:document.querySelectorAll('a.jsexpands').forEach(function(expander) {expander.click();});

chrome dev tools focused on the plus sign

Explorer

After opening a case with Splunk to find a method that will work without changing a Global setting, we settled on using this option; thanks! We made a slight modification to your JavaScript to account for multiple levels of JSON; if you are interested, the code is:

javascript:for(i=0;i<=3;i=i+1){document.querySelectorAll('a.jsexpands').forEach(function(expander) {expander.click();});}

Esteemed Legend

VERY COOL!

0 Karma

Explorer

Checking if [+] was found fixes the table view issue:

<script>
   function autoExpand(){
       // console.log("autoExpand started");                                                                                                                  
       var found = false;
       $(document).ready(function() {
           $(".jsexpands").each(function() {
               if($(this).html() == '[+]') {
                   found=true;
                   $(this)[0].click();
               }
           });
       });

       if (found) {setTimeout(function(){         $('.modalize-table-overlay').click();       }, 500);}
       //console.log("autoExpand complete");                                                                                                                  
   }
  // select the target node                                                                                                                                   
  var target = document.body;

  // create an observer instance                                                                                                                              
  var observer = new MutationObserver(function(mutations) {
      autoExpand();
  });

  // configuration of the observer:                                                                                                                           
  var config = { attributes: true, childList: true, characterData: true, subtree:true};

  // pass in the target node, as well as the observer options                                                                                                 
  observer.observe(target, config);
</script>

Explorer

Is there a way to apply this script to a specific app instead of on a global level?

0 Karma

Communicator

Yes, just upload it is the /appserver/static folder of your app as a *.js file after having removed '

0 Karma

Explorer

Breaks in table view though (closes a table you've expanded)

0 Karma

Explorer

spath doesn't work for this. I just want to be able to view the splunk results from my queries and I don't want to click on [+] sign for every json object/array within my log just to see what's in it.

Explorer
function autoExpand(){
    //console.log("autoExpand started");
    $(document).ready(function() {
        $(".Prop > a.showinline").each(function() {
            if($(this).html() == '[+]') {
                $(this)[0].click();
            }
        });
    });
    //console.log("autoExpand complete");
}

// select the target node
var target = document.body;

// create an observer instance
var observer = new MutationObserver(function(mutations) {
    autoExpand();
});

// configuration of the observer:
var config = { attributes: true, childList: true, characterData: true, subtree:true};

// pass in the target node, as well as the observer options
observer.observe(target, config);

Thank you brentryan. We are on 6.x and having this issue with second level nested json keys. We did contact Splunk support, who pointed us here but could not instruct where to place this js. We do have a feature request in now (SPL-142795).

Meanwhile, for newer versions (we are on 6.x) the code below works when placed into /opt/splunk/share/splunk/search_mrsparkle/templates/pages/base.html

<script>
 function autoExpand(){
     //console.log("autoExpand started");
     $(document).ready(function() {
         $(".jsexpands").each(function() {
             if($(this).html() == '[+]') {
                 $(this)[0].click();
             }
         });
     });
     setTimeout(function(){
        $('.modalize-table-overlay').click();
      }, 500);
     //console.log("autoExpand complete");
 }
// select the target node
 var target = document.body;

 // create an observer instance
 var observer = new MutationObserver(function(mutations) {
     autoExpand();
 });

 // configuration of the observer:
 var config = { attributes: true, childList: true, characterData: true, subtree:true};

 // pass in the target node, as well as the observer options
 observer.observe(target, config);
</script>
0 Karma

Path Finder

^ this worked for me. thanks!

0 Karma

Path Finder

also note, if you want to expand json data in dashboards you will need to add this to /opt/splunk/share/splunk/search_mrsparkle/templates/pages/dashboard.html

0 Karma

Revered Legend

You can use "spath" command to extract/expand all the fields in the json data. "index=xxxx sourcetype=yyyyy| spath"

0 Karma

Explorer

Anyone ever solve this?

0 Karma

Path Finder

Any way to do this? Could someone please clarify?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!