Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to get the nested objects from my JSON data field?

sintjm
Path Finder
‎05-06-2024 07:18 AM

I want to get the values from the path field but I can't extract this alone as data.initial_state.path would output extra values 

sintjm_0-1715004909640.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:28 AM

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-06-2024 09:51 AM

It is very unclear what you mean by "the first one that shows".  Your screenshot shows that your input contains several JSON arrays data.events[], data.initiate_state[], data.initiate_state[].community[], data.initiate_state[].path[], etc. (It is important to illustrate raw JSON data, not Splunk's "beautified view", much less screenshot of "beautified view".  You can reveal raw data by clicking "Show as raw text" in search window.  Anonymize as needed.)

I am also curious what is the use case to only wanting/needing "the first one that shows" from a data structure that is meant to contain multiple values?  Are other elements in the array not meaningful?  In a JSON array, every element is assumed to be equally weighed semantically.  How do you determine that "the first" is significant and the rest is not?  If there is truly some semantic insignificance of the rest of an array, you should exert every bit of your influence on developers to restructure data so you don't have bad semantics.  If you are uncertain, you should consult developers/manuals to clarify how data should be used.

This much said, it is still unclear what is the meaning of "first one that shows."  Array data.initiate_state[].path[] is nested in array data.initiate_state[].  Do you want "first one that shows" in every element of data.initiate_state[]?  Of do you want "first one that shows" in data.initiate_state[].path[] in the "first one that shows" in data.initiate_state[]?

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎05-06-2024 10:06 AM

The first one that shows" in data.initiate_state[].path[]

And yes, the other array elements are not as meaningful as the first element.

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎05-06-2024 08:01 AM

I just realized why I got more values because there are nested objects below with the same fields but i only want the first one that shows

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:28 AM

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...