Solved: How to get the nested objects from my JSON data fi...

sintjm

I want to get the values from the path field but I can't extract this alone as data.initial_state.path would output extra values

PickleRick

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}

View solution in original post

yuanliu

It is very unclear what you mean by "the first one that shows". Your screenshot shows that your input contains several JSON arrays data.events[], data.initiate_state[], data.initiate_state[].community[], data.initiate_state[].path[], etc. (It is important to illustrate raw JSON data, not Splunk's "beautified view", much less screenshot of "beautified view". You can reveal raw data by clicking "Show as raw text" in search window. Anonymize as needed.)

I am also curious what is the use case to only wanting/needing "the first one that shows" from a data structure that is meant to contain multiple values? Are other elements in the array not meaningful? In a JSON array, every element is assumed to be equally weighed semantically. How do you determine that "the first" is significant and the rest is not? If there is truly some semantic insignificance of the rest of an array, you should exert every bit of your influence on developers to restructure data so you don't have bad semantics. If you are uncertain, you should consult developers/manuals to clarify how data should be used.

This much said, it is still unclear what is the meaning of "first one that shows." Array data.initiate_state[].path[] is nested in array data.initiate_state[]. Do you want "first one that shows" in every element of data.initiate_state[]? Of do you want "first one that shows" in data.initiate_state[].path[] in the "first one that shows" in data.initiate_state[]?

sintjm

The first one that shows" in data.initiate_state[].path[]

And yes, the other array elements are not as meaningful as the first element.

sintjm

I just realized why I got more values because there are nested objects below with the same fields but i only want the first one that shows

PickleRick

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}

How to get the nested objects from my JSON data field?

fields

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!