Re: Splunk 6 query format for JSON data

amanteja · ‎10-16-2013

We send JSON formatted data into Splunk. On upgrading to Splunk 6 I noticed that selecting the value of a JSON field no longer filters the query with an spath automatically.
For instance if the JSON data was

{
  level : "Info",
  message : "xxxx"
}

and one clicked on "Info"
in Splunk 5 the query would become

index="x" | spath "level" | search "level"="Info"

While in Splunk 6 it becomes

index="x"  Info

Is there a way to retain the behavior of Splunk 5?

rsennett_splunk · ‎11-09-2013

What's happened is that the "spath" has become silent as the extractions are now automatic...

click on the field in the fields list rather than the value in the event.
and select the value you want, in this case:
Field: level
Value: info

You should see: level = info in the search box

This now behaves like any other field, regardless of the format of the raw events.

Clicking on the event text also behaves like any other event regardless of the origins. Of course we maintain the JSON formatting for you in the raw view because JSON has the formatting directives...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Splunk 6 query format for JSON data

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Splunk 6 query format for JSON data

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk