There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community.
I am injecting events into Splunk, with a certain JSON structure, e.g.
[
{ "foo": { "k1": 1, "k2": 2 },
"bar": { "m1": 5, "m2": 6 },
"string1": "hi",
"string2": "bye"
},
{ "foo": { "k1": 11, "k2": 22 },
"bar": { "m1": 55, "m2": 66 },
"string1": "hi2",
"string2": "bye2"
},
... and so on ...
]
I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10
Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _*
The problem I am having is as follows:
- When specifying the field "foo" - which has a map (or some other complex structure) in the above naive way, I am not getting any contents from it in my search result (the results are nicely visible in the event view of the Splunk web UI - but in the REST API)
- When using fields foo*, I am getting an expanded result:
{ "foo.k1": 1, "foo.k2": 2 }
- I tried spath, like in: | spath output=myfoo path=foo | fields myfoo | fields - _*
which however gives me a string that contains JSON:
{"myfoo": "{\"k1\": 1,\"k2\": 2}"}
The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... }
Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result.
Thanks a lot for your valuable advice!
