Re: moving "spath" from query to config file

splunk_worker · ‎06-30-2014

Hi All
I want to move the spath from search query to the auto extraction configuration ie in props.conf and transforms.conf. Is this possible?

index=myindex | rex max_match=0 "(?{[^}]+})" | mvexpand json_field |spath input=json_field

spath breaks KV from complex JSON too. Hence I want use spath, but in configuration files instead of search query.

cpride_splunk · ‎11-13-2015

Given the fact that spath is happening after mvexpand and a rex -- I'm not sure it helps.

However if you were trying to basically have a single automatically extracted path command:

search foo=* | spath input=foo output=bar path=a.b

That is equivalent to (Spath Eval Function😞

search foo=* | eval bar=spath(foo, "a.b")

And you can embed that eval as a calculated field (Define Calculated Fields) to make it automatically extracted.

GauravSplunxter · ‎03-29-2017

I embedded in props.conf and not getting the results.
EVAL-bar = spath(foo, "a.b")
What am I doing wrong?

camillak · ‎06-27-2018

Did you set the stanza correctly? eg: [source::your_source]

Also the parse won't show up in an Events search, need to table or similar.

moving "spath" from query to config file