Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the nested objects from my JSON data field?

sintjm
Path Finder
‎05-06-2024 07:18 AM

I want to get the values from the path field but I can't extract this alone as data.initial_state.path would output extra values 

sintjm_0-1715004909640.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:28 AM

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-06-2024 09:51 AM

It is very unclear what you mean by "the first one that shows".  Your screenshot shows that your input contains several JSON arrays data.events[], data.initiate_state[], data.initiate_state[].community[], data.initiate_state[].path[], etc. (It is important to illustrate raw JSON data, not Splunk's "beautified view", much less screenshot of "beautified view".  You can reveal raw data by clicking "Show as raw text" in search window.  Anonymize as needed.)

I am also curious what is the use case to only wanting/needing "the first one that shows" from a data structure that is meant to contain multiple values?  Are other elements in the array not meaningful?  In a JSON array, every element is assumed to be equally weighed semantically.  How do you determine that "the first" is significant and the rest is not?  If there is truly some semantic insignificance of the rest of an array, you should exert every bit of your influence on developers to restructure data so you don't have bad semantics.  If you are uncertain, you should consult developers/manuals to clarify how data should be used.

This much said, it is still unclear what is the meaning of "first one that shows."  Array data.initiate_state[].path[] is nested in array data.initiate_state[].  Do you want "first one that shows" in every element of data.initiate_state[]?  Of do you want "first one that shows" in data.initiate_state[].path[] in the "first one that shows" in data.initiate_state[]?

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎05-06-2024 10:06 AM

The first one that shows" in data.initiate_state[].path[]

And yes, the other array elements are not as meaningful as the first element.

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎05-06-2024 08:01 AM

I just realized why I got more values because there are nested objects below with the same fields but i only want the first one that shows

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:28 AM

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top