How to convert multiple individual json objects in...

damode1 · ‎05-21-2023

I want to convert some of the below individual json objects in the event into nested single json object like the second example

Current Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
    "Company": "Microsoft Corporation",
    "TerminalSessionId": 0,
    "UtcTime": "2018-08-20 15:18:59.929",
    "Product": "Microsoft® Windows® Operating System",
}

Expected Format

{
    "ID": 1,
    "Timestamp": "2023-05-18T05:07:59.940594300Z",
    "EventData":{
        "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
        "Company": "Microsoft Corporation",
        "TerminalSessionId": 0,
        "UtcTime": "2018-08-20 15:18:59.929",
        "Product": "Microsoft® Windows® Operating System",
    }
}

I have tried to playaround with json functions but unable to figure out how to achieve the above outcome.

Can someone please help ?

yuanliu · ‎05-23-2023

This seems to be the exact question as How to convert multiple individual json objects into a nested json object in an event ? You can checkout answer there. But I'm curious: why the interest all in a sudden? This doesn't seem to be a very practical use of Splunk. Such tasks can be more easily accomplished outside of SPL.

damode1 · ‎05-23-2023

ya sorry about that. my original post was repeatedly getting tagged as spam post for some unknown reason, hence, unfortunately I had to post it from another account.

How to convert multiple individual json objects into a nested json object ?

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation