Hi. I have an JSON event that has nested arrays of objects within it.
In the Search app, it "prettifies" the top level of the JSON event, but does not provide us with a "pretty" form of nested arrays/objects. Unfortunately, the data is sensitive so I cannot provide a screenshot. But basically I'd like to be able to click the +/- sign and drill down into the nested JSON event. Instead, nested JSON is represented by a single string which is difficult to read.
I can use spath to extract the nested JSON fields, that's works, but we'd like to be able to explore the JSON in a drill-down fashion within the Search app.
I have verified that our JSON is valid.
Is there something I need to do to get the GUI to understand nested JSON?
Sorry if this question seems vague, just not sure how else to ask.
Thanks!
So I found this problem annoying enough to write a custom search command to solve it. Maybe someday the Splunk UI will off an "expand all" feature, making nested JSON structures easier to navigate, but in the meantime this is what I do.
I have an app called JMESPath that includes an extra helper search command called jsonformat
that does exactly what you're looking for. If your event is a JSON string, you can just call ... | jsonformat
and it will replace the _raw
field (the text of your event) with a formatted JSON string. This can also optionally sort the JSON object, set a custom indentation level, or format json fields (like after calling spath
). There are many possibilities.
For more examples and use cases, see the jsonformat command reference.
you need to adjust your sourcetype at the time of ingestion. I successfully followed ideas from https://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html
Have you tried the spath
command:
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Spath
Yes, I mentioned in my question then spath will extract the fields, but we can't drill down within the search app.