Lift fields in nested json object to top level

dwh_splunk · ‎04-07-2017

I have json data like this

{
  "default": 3
  "payload": { "a": 1,  "b": 4 }
}

The keys in my payload object differ for different usecases and I want to lift all the key-value pairs in the payload property to top level.
I.e I don't want to query 'payload.a' but simply 'a'.
With a fixed set of keys I could do this transformation in props.conf but as I said the keys of the payload object vary.

Is it possible to lift the contents of a nested object?
"spath output=$MAGIC path=payload.$MAGIC"

The best of what I can think at the moment is a (python) custom command, which does the trick, but you know ...
Sure there is a better way?!

PS: We are on splunk 6.4

somesoni2 · ‎04-07-2017

YOu could just simply rename the fields to remove payload. portion (using rename command in search OR creating field alias in props.conf/settings->Fields).

... | rename payload.* as *

https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configurefieldaliaseswithprops.conf

dwh_splunk · ‎04-10-2017

Hi somesoni2, thanks for your answer!

I didn't knew about that I could it like that "rename stuff.* AS *". This definitely helps.

I would like to port this to my props.conf, but it doesn't work yet.

I tried

[<my_sourcetype>]
KV_MODE=json
FIELDALIAS-payload_general = payload.* AS *

but it has no effect whatsoever.
Is FIELDALIAS supposed to work with wildcards as well?

Lift fields in nested json object to top level

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices