Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk 6 query format for JSON data

amanteja
Path Finder
‎10-16-2013 07:53 PM

We send JSON formatted data into Splunk. On upgrading to Splunk 6 I noticed that selecting the value of a JSON field no longer filters the query with an spath automatically.
For instance if the JSON data was

{
  level : "Info",
  message : "xxxx"
}

and one clicked on "Info"
in Splunk 5 the query would become

index="x" | spath "level" | search "level"="Info"

While in Splunk 6 it becomes

index="x"  Info

Is there a way to retain the behavior of Splunk 5?

Tags (4)
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎11-09-2013 11:38 AM

What's happened is that the "spath" has become silent as the extractions are now automatic...

click on the field in the fields list rather than the value in the event.
and select the value you want, in this case:
Field: level
Value: info

You should see: level = info in the search box

This now behaves like any other field, regardless of the format of the raw events.

Clicking on the event text also behaves like any other event regardless of the origins. Of course we maintain the JSON formatting for you in the raw view because JSON has the formatting directives...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...