Getting Data In

Nested JSON in GUI

Branden
Builder

Hi. I have an JSON event that has nested arrays of objects within it.

In the Search app, it "prettifies" the top level of the JSON event, but does not provide us with a "pretty" form of nested arrays/objects. Unfortunately, the data is sensitive so I cannot provide a screenshot. But basically I'd like to be able to click the +/- sign and drill down into the nested JSON event. Instead, nested JSON is represented by a single string which is difficult to read.

I can use spath to extract the nested JSON fields, that's works, but we'd like to be able to explore the JSON in a drill-down fashion within the Search app.

I have verified that our JSON is valid.

Is there something I need to do to get the GUI to understand nested JSON?

Sorry if this question seems vague, just not sure how else to ask.

Thanks!

0 Karma

Lowell
Super Champion

So I found this problem annoying enough to write a custom search command to solve it. Maybe someday the Splunk UI will off an "expand all" feature, making nested JSON structures easier to navigate, but in the meantime this is what I do.

I have an app called JMESPath that includes an extra helper search command called jsonformat that does exactly what you're looking for. If your event is a JSON string, you can just call ... | jsonformat and it will replace the _raw field (the text of your event) with a formatted JSON string. This can also optionally sort the JSON object, set a custom indentation level, or format json fields (like after calling spath). There are many possibilities.

For more examples and use cases, see the jsonformat command reference.

0 Karma

droopy4096
New Member

you need to adjust your sourcetype at the time of ingestion. I successfully followed ideas from https://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html

0 Karma

woodcock
Esteemed Legend
0 Karma

Branden
Builder

Yes, I mentioned in my question then spath will extract the fields, but we can't drill down within the search app.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...