Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk - how to filter json search results

evanxu
Explorer
‎07-20-2020 07:01 AM

My splunk search returns one event as below: notice agent data is in a nested json format.  agentName and agentSwitch are nested fields within agent.  

testsplunk.JPG

I would like to filter within this result so that the output would only display 

agentName = "ether" and agentSwitchName="soul".   

 

I have tried to filter using spath and table but each time it would return ALL agentNames, how can i correctly filter the output?  

My search | spath | table environemnt, agent{}.agentName | search agent{}.agentName="ether"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎07-20-2020 02:36 PM

My search | spath agent{} output=agent

| mvexpand agent | spath input=agent | search agentName="ether"

Reply

evanxu
Explorer
‎07-21-2020 07:42 PM

Hi @to4kawa , thank you, i have one more request, 
my search correctly returns agent ether, however, it also returns all agent switch names even though I specified agentSwitchName "soul".   I think this has to do with agentSwitchName being nested within agent.   Could you help ?

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 02:38 AM

I don't know your log. I can't do that.

0 Karma
Reply

evanxu
Explorer
‎07-22-2020 05:07 AM

The json screenshot is the result of my search, it returns a single event with nested json.   I am attempting to reformat/filter the event output to show only agentName: ether and agentSwitchName: soul, preferably in a tabular format. 

testsplunk.JPG

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"  | table agentName, agentSwitchName

However instead of getting "soul" only, I am getting both "infinity" and "soul", so it looks like 

current.JPG

This is the output I really want: 

target.JPG

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 06:42 AM

you can do it, I can't do it by only sample pics.


0 Karma
Reply

spitchika
Path Finder
‎07-22-2020 08:07 AM
 
 
Hi, 

Best thing I do in this situation is changing log display format to "Raw" and capture correct left and right boundaries with rex command. (If require max_match option). Right now default json view would be "List" view.

spitchika_0-1595430181338.png

 

Reply

evanxu
Explorer
‎07-26-2020 07:07 PM

Thank you for the hint.    I tried to add the clause below and the data returned correctly.  

| rename data as _raw
| extract

0 Karma
Reply

spitchika
Path Finder
‎07-27-2020 07:47 AM 
Perfect!! Thank you.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...