Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lift fields in nested json object to top level

dwh_splunk
Explorer
‎04-07-2017 07:01 AM

I have json data like this

{
  "default": 3
  "payload": { "a": 1,  "b": 4 }
}

The keys in my payload object differ for different usecases and I want to lift all the key-value pairs in the payload property to top level.
I.e I don't want to query 'payload.a' but simply 'a'.
With a fixed set of keys I could do this transformation in props.conf but as I said the keys of the payload object vary.

Is it possible to lift the contents of a nested object?
"spath output=$MAGIC path=payload.$MAGIC"

The best of what I can think at the moment is a (python) custom command, which does the trick, but you know ...
Sure there is a better way?!

PS: We are on splunk 6.4

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2017 07:33 AM

YOu could just simply rename the fields to remove payload. portion (using rename command in search OR creating field alias in props.conf/settings->Fields).

... | rename payload.* as *

https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configurefieldaliaseswithprops.conf

Reply

dwh_splunk
Explorer
‎04-10-2017 01:18 AM

Hi somesoni2, thanks for your answer!

I didn't knew about that I could it like that "rename stuff.* AS *". This definitely helps.

I would like to port this to my props.conf, but it doesn't work yet.

I tried

[<my_sourcetype>]
KV_MODE=json
FIELDALIAS-payload_general = payload.* AS *

but it has no effect whatsoever.
Is FIELDALIAS supposed to work with wildcards as well?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...