Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lift fields in nested json object to top level

dwh_splunk
Explorer
‎04-07-2017 07:01 AM

I have json data like this

{
  "default": 3
  "payload": { "a": 1,  "b": 4 }
}

The keys in my payload object differ for different usecases and I want to lift all the key-value pairs in the payload property to top level.
I.e I don't want to query 'payload.a' but simply 'a'.
With a fixed set of keys I could do this transformation in props.conf but as I said the keys of the payload object vary.

Is it possible to lift the contents of a nested object?
"spath output=$MAGIC path=payload.$MAGIC"

The best of what I can think at the moment is a (python) custom command, which does the trick, but you know ...
Sure there is a better way?!

PS: We are on splunk 6.4

0 Karma
Reply

somesoni2
Revered Legend
‎04-07-2017 07:33 AM

YOu could just simply rename the fields to remove payload. portion (using rename command in search OR creating field alias in props.conf/settings->Fields).

... | rename payload.* as *

https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configurefieldaliaseswithprops.conf

Reply

dwh_splunk
Explorer
‎04-10-2017 01:18 AM

Hi somesoni2, thanks for your answer!

I didn't knew about that I could it like that "rename stuff.* AS *". This definitely helps.

I would like to port this to my props.conf, but it doesn't work yet.

I tried

[<my_sourcetype>]
KV_MODE=json
FIELDALIAS-payload_general = payload.* AS *

but it has no effect whatsoever.
Is FIELDALIAS supposed to work with wildcards as well?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...