Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create sample JSON data and display it in a tree structure?

LearningGuy
Motivator
a month ago

Hello,
How to create sample JSON data and display it in tree structure?
I used makeresults to create sample JSON data below

| makeresults 
| eval data = "{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

The search result is below.
LearningGuy_0-1744991048233.png

My expected output is below. I have the option to select "list" from the drop down, but this option is only available if I import the data to an index.  Please help. Thanks

LearningGuy_1-1744991429331.png

 

JSON data:

{
  "name": "John Doe",
  "age": 30,
  "address": {
    "street": "123 Main St",
    "city": "Anytown",
    "state": "CA",
    "zip": "12345"
  },
  "interests": [
    "reading",
    "hiking",
    "coding"
  ]
}

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
a month ago

Hi @LearningGuy 
Ah yes you do need access to the index you search but it can be any index. 

You might actually be able to use the "windbag" command instead like this:

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

livehybrid_0-1745002354308.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

livehybrid
Super Champion
a month ago

Hi @LearningGuy 

When using makeresults which is a report-generating command you get a table output.

When I want to get a JSON tree view you need it to be an eventbased output, I use this little tricky to get an event and then override with eval _raw like this:

index=_internal | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

livehybrid_0-1744992323244.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

LearningGuy
Motivator
a month ago

Hello @livehybrid 

If I literally used your query, I got no result, but if I changed the index name to one of my existing indexes, I got the same output.
1. Should I use one of my existing indexes for testing?  (As I am not an admin, I don't have the ability to import JSON and create an index)
2. How do I create a summary index in JSON format with a tree structure?
Thank you so much for your help

LearningGuy_0-1744996643935.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
a month ago

Hi @LearningGuy 
Ah yes you do need access to the index you search but it can be any index. 

You might actually be able to use the "windbag" command instead like this:

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

livehybrid_0-1745002354308.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

Not being admin, you might not have access to _internal which is why you get no events which you can override the _raw field. So, yes, try using one of the indexes you do have access to (with a corresponding timeframe so that you find at least 1 event).

Assuming you have access/permissions, you can add to a summary index with the collect command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

Reply
Solved! Jump to solution

LearningGuy
Motivator
a month ago

Hi @ITWhisperer 

Will a JSON format with a tree structure be supported if I create a summary index using a Splunk report?
The Splunk report automatically generated  summary index using the "summaryindex" command , rather than  the "collect" command. 

According to the documentation you sent, using output_format=hec to get JSON-formatted output.

Thank you

0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
a month ago

Hi @LearningGuy 

Yes you can use output_mode=hec - see below:

| windbag 
| head 1 
| eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" 
| eval source="answersDemo" 
| collect index=main output_format=hec

Then when I search index=main source=answersDemo:

livehybrid_0-1745002797055.png

Note - you need to ensure you have the run_collect capability for your role and also access to the index you are collecting in to.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

LearningGuy
Motivator
a month ago

Hi @livehybrid 

The windbag command worked just fine, but the collect command did not work.
How do I use collect command in the Splunk report that appended |summaryindex automatically?

Perhaps screenshot below will explain better. Thank you for your help

LearningGuy_2-1745004365541.png

I have a Splunk report that generates summary index daily

LearningGuy_0-1745003660305.png
The search query will be

index=summary      report=json_test



When the report run daily, the search will be appended with "| summary index" command below:

| windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"

| summaryindex spool=t uselb=t addtime=t index="summary" file="RMD[random characters].stash_new" name="json_test" marker="hostname=\"https://aa.test.com/\",report=\"json_test\"



LearningGuy_1-1745003727158.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top