Splunk Search

How to get the nested objects from my JSON data field?

sintjm
Path Finder

I want to get the values from the path field but I can't extract this alone as data.initial_state.path would output extra values 

sintjm_0-1715004909640.png

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

It is very unclear what you mean by "the first one that shows".  Your screenshot shows that your input contains several JSON arrays data.events[], data.initiate_state[], data.initiate_state[].community[], data.initiate_state[].path[], etc. (It is important to illustrate raw JSON data, not Splunk's "beautified view", much less screenshot of "beautified view".  You can reveal raw data by clicking "Show as raw text" in search window.  Anonymize as needed.)

I am also curious what is the use case to only wanting/needing "the first one that shows" from a data structure that is meant to contain multiple values?  Are other elements in the array not meaningful?  In a JSON array, every element is assumed to be equally weighed semantically.  How do you determine that "the first" is significant and the rest is not?  If there is truly some semantic insignificance of the rest of an array, you should exert every bit of your influence on developers to restructure data so you don't have bad semantics.  If you are uncertain, you should consult developers/manuals to clarify how data should be used.

This much said, it is still unclear what is the meaning of "first one that shows."  Array data.initiate_state[].path[] is nested in array data.initiate_state[].  Do you want "first one that shows" in every element of data.initiate_state[]?  Of do you want "first one that shows" in data.initiate_state[].path[] in the "first one that shows" in data.initiate_state[]?

0 Karma

sintjm
Path Finder

The first one that shows" in data.initiate_state[].path[]

And yes, the other array elements are not as meaningful as the first element.

0 Karma

sintjm
Path Finder

I just realized why I got more values because there are nested objects below with the same fields but i only want the first one that shows

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk has its limitations. One of them is not very pretty handling of structured data (which is understandable to a point). So if you use either automatic extractions or the spath command, to parse whole event you'll get a multivalued field.

From that field you have to get your first value either by means of mvindex() function or by mvexpanding the event and selecting just first result.

Alternatively you can call spath with a specific path within your json structure. Like

| spath path=data.initiate_state{0}.path{0}

You can even get all first path elements from all initstate_state elements by

| spath path=data.initiate_state{}.path{0}
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...