Getting Data In

Nested JSON in GUI

Branden
Builder

Hi. I have an JSON event that has nested arrays of objects within it.

In the Search app, it "prettifies" the top level of the JSON event, but does not provide us with a "pretty" form of nested arrays/objects. Unfortunately, the data is sensitive so I cannot provide a screenshot. But basically I'd like to be able to click the +/- sign and drill down into the nested JSON event. Instead, nested JSON is represented by a single string which is difficult to read.

I can use spath to extract the nested JSON fields, that's works, but we'd like to be able to explore the JSON in a drill-down fashion within the Search app.

I have verified that our JSON is valid.

Is there something I need to do to get the GUI to understand nested JSON?

Sorry if this question seems vague, just not sure how else to ask.

Thanks!

0 Karma

Lowell
Super Champion

So I found this problem annoying enough to write a custom search command to solve it. Maybe someday the Splunk UI will off an "expand all" feature, making nested JSON structures easier to navigate, but in the meantime this is what I do.

I have an app called JMESPath that includes an extra helper search command called jsonformat that does exactly what you're looking for. If your event is a JSON string, you can just call ... | jsonformat and it will replace the _raw field (the text of your event) with a formatted JSON string. This can also optionally sort the JSON object, set a custom indentation level, or format json fields (like after calling spath). There are many possibilities.

For more examples and use cases, see the jsonformat command reference.

0 Karma

droopy4096
New Member

you need to adjust your sourcetype at the time of ingestion. I successfully followed ideas from https://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html

0 Karma

woodcock
Esteemed Legend
0 Karma

Branden
Builder

Yes, I mentioned in my question then spath will extract the fields, but we can't drill down within the search app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...