Re: Splunk 6 query format for JSON data

amanteja · ‎10-16-2013

We send JSON formatted data into Splunk. On upgrading to Splunk 6 I noticed that selecting the value of a JSON field no longer filters the query with an spath automatically.
For instance if the JSON data was

{
  level : "Info",
  message : "xxxx"
}

and one clicked on "Info"
in Splunk 5 the query would become

index="x" | spath "level" | search "level"="Info"

While in Splunk 6 it becomes

index="x"  Info

Is there a way to retain the behavior of Splunk 5?

rsennett_splunk · ‎11-09-2013

What's happened is that the "spath" has become silent as the extractions are now automatic...

click on the field in the fields list rather than the value in the event.
and select the value you want, in this case:
Field: level
Value: info

You should see: level = info in the search box

This now behaves like any other field, regardless of the format of the raw events.

Clicking on the event text also behaves like any other event regardless of the origins. Of course we maintain the JSON formatting for you in the raw view because JSON has the formatting directives...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Splunk 6 query format for JSON data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation