Splunk Search

How to pass through fields with complex data in search results?

New Member

There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community.

I am injecting events into Splunk, with a certain JSON structure, e.g.


  { "foo": { "k1": 1, "k2": 2 },
    "bar": { "m1": 5, "m2": 6 },
    "string1": "hi",
    "string2": "bye"
  { "foo": { "k1": 11, "k2": 22 },
    "bar": { "m1": 55, "m2": 66 },
    "string1": "hi2",
    "string2": "bye2"
  ... and so on ...




I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10

Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _*

The problem I am having is as follows:

  • When specifying the field "foo" - which has a map (or some other complex structure) in the above naive way, I am not getting any contents from it in my search result (the results are nicely visible in the event view of the Splunk web UI - but in the REST API)
  • When using fields foo*, I am getting an expanded result:
    { "foo.k1": 1, "foo.k2": 2 }
  • I tried spath, like in: | spath output=myfoo path=foo | fields myfoo | fields - _*
    which however gives me a string that contains JSON:
    {"myfoo": "{\"k1\": 1,\"k2\": 2}"}

The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... }

Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result.

Thanks a lot for your valuable advice!

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...