Splunk Search

How to pass through fields with complex data in search results?

marekr
New Member

There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community.

I am injecting events into Splunk, with a certain JSON structure, e.g.

 

[
  { "foo": { "k1": 1, "k2": 2 },
    "bar": { "m1": 5, "m2": 6 },
    "string1": "hi",
    "string2": "bye"
  },
  { "foo": { "k1": 11, "k2": 22 },
    "bar": { "m1": 55, "m2": 66 },
    "string1": "hi2",
    "string2": "bye2"
  },
  ... and so on ...
]

 

 

 

I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10

Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _*

The problem I am having is as follows:

  • When specifying the field "foo" - which has a map (or some other complex structure) in the above naive way, I am not getting any contents from it in my search result (the results are nicely visible in the event view of the Splunk web UI - but in the REST API)
  • When using fields foo*, I am getting an expanded result:
    { "foo.k1": 1, "foo.k2": 2 }
  • I tried spath, like in: | spath output=myfoo path=foo | fields myfoo | fields - _*
    which however gives me a string that contains JSON:
    {"myfoo": "{\"k1\": 1,\"k2\": 2}"}

The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... }

Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result.

Thanks a lot for your valuable advice!

Labels (1)
0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...