Splunk Search

How to extract nested JSON and display JsonObject in a table?

New Member

My sample event looks like below:

    "thread": "http-nio-8085-exec-1",
    "level": "INFO",
    "message": {
        "eventId": "68b3c5d3-02e5-4c33-af41-756b43fc4311",
        "signature": "public ResponseObj someMethod(RequestObj)",
        "duration": 1019,
        "request": [{"#my nested request Json goes here": "" } ],
        "response": {"#my nested response Json goes here": ""},
    "endOfBatch": false,
    "loggerFqcn": "org.apache.logging.log4j.spi.AbstractLogger",
    "instant": {
        "epochSecond": 1561664957,
        "nanoOfSecond": 437000000
    "threadId": 26,
    "threadPriority": 5

I would like to display in a table like below

|eventId | signature | duration | request | response

Issue: I was able to extract each element in a nested JSON but the cloud is not able to aggregate 'message.request' as one JSON String
Tried below :

index=sample loggerName="INSTRUMENTATION_TRACING" | spath | rename message.eventId as eventId, message.signature as signature message.duration as duration , message.request as request, message.response as response | table eventId, signature, duration, request, response

spath extracts all nested elements as expected. I could not see "message.request" or "message.response" in the extracted fields.

I only want to extract one level (i.e I want message.request and message.response elements as Json string to display in a table)

Is it possible? If so, can someone throw me some ideas, please.

0 Karma


Below SPL works for 'request' field as the field is a 'list' in the JSON input.

| spath output=request path=request{}
| table eventId, signature, duration, request
0 Karma

New Member

Sorry.., I need to display both request and response

0 Karma



Can you please share sample JSON for "request": [{"#my nested request Json goes here": "" } ],
"response": {"#my nested response Json goes here": ""},
and expected result from it?

0 Karma


Is that the formatted JSON (i.e. coming from Splunk display) or does your event have the whitespaces and newlines in it?

0 Karma

New Member

I will have whitespaces and newlines in my Splunk log event. The Json content of request and response changes based on the operation

0 Karma

New Member
    "eventId": "1065f4a2-d61d-438d-9862-6db0c41b5000",
    "metrics": {
        "NAME": "pilot-vehicle-service",
        "VERSION": "1.0",
        "ENVIRONMENT": "DEV",
        "INSTANCE_ID": "11",
        "CORRELATION_ID": "3259eef8-afab-4cf1-a8c3-20ed9682aefe",
        "LOCAL_ADDRESS": " ",
        "REMOTE_ADDRESS": "",
        "URI": "[POST]/pilot-vehicle-service/0.0/vehicle/preference"
    "signature": "public me.dhana.poc.vehicle.domain.Vehicle me.dhana.poc.vehicle.service.impl.DefaultVehicleQueryService.getPreference(me.dhana.poc.vehicle.domain.Category)",
    "duration": 343,
    "request": [
            "segment": "compact",
            "type": "suv"
    "response": {
        "id": "5",
        "manufacturer": "Honda",
        "year": 2017,
        "model": "Pilot",
        "price": 13300

Please find the sample above

0 Karma



I assume that this event from the search bar.

Can you please execute below searches?

index=sample loggerName="INSTRUMENTATION_TRACING" | spath 
| rename message.* as * | table  eventId, signature, duration, request{}*, response.*

Sample Search:

| makeresults 
| eval _raw="{
    \"thread\": \"http-nio-8085-exec-1\",
    \"level\": \"INFO\",
    \"loggerName\": \"INSTRUMENTATION_TRACING\",
    \"message\": {
        \"eventId\": \"1065f4a2-d61d-438d-9862-6db0c41b5000\",
        \"metrics\": {
            \"NAME\": \"pilot-vehicle-service\",
            \"VERSION\": \"1.0\",
            \"ENVIRONMENT\": \"DEV\",
            \"INSTANCE_ID\": \"11\",
            \"CORRELATION_ID\": \"3259eef8-afab-4cf1-a8c3-20ed9682aefe\",
            \"LOCAL_ADDRESS\": \" \",
            \"REMOTE_ADDRESS\": \"\",
            \"URI\": \"[POST]/pilot-vehicle-service/0.0/vehicle/preference\"
        \"signature\": \"public me.dhana.poc.vehicle.domain.Vehicle me.dhana.poc.vehicle.service.impl.DefaultVehicleQueryService.getPreference(me.dhana.poc.vehicle.domain.Category)\",
        \"duration\": 343,
        \"request\": [{
            \"segment\": \"compact\",
            \"type\": \"suv\"
            \"segment\": \"compact1\",
            \"type\": \"suv1\"
        \"response\": {
            \"id\": \"5\",
            \"manufacturer\": \"Honda\",
            \"year\": 2017,
            \"model\": \"Pilot\",
            \"price\": 13300
| spath
| rename message.* as * | table  eventId, signature, duration, request{}*, response.*

Note: in your JSON request is array type of object So multivalued field could found. See in sample search.

0 Karma

New Member

I tried your options, but the request/response is not displayed as one single column, each json element is displayed in its own column.

Is there a way that i can convert the extracted Json back to String and display(request/response) in one single Column?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...