Splunk Search

Searching and viewing json sourcetypes, why do extracted field names contain "{}" characters and drilldown doesn't work from the "syntax highlight" view?

pembleton
Path Finder

Hey there,

Two problems with searching and viewing json sourcetypes:

1) Anybody know what's the deal with the json extracted field names?
we get the dict "{}" thing inside the field names and it drives me crazy.

For example, for this dict:

{"match_number":64,"location":"Estadio do Maracana","datetime":"2014-07-13T16:00:00.000-03:00","status":"completed","home_team":{"country":"Germany","code":"GER","goals":1},"away_team":{"country":"Argentina","code":"ARG","goals":0},"winner":"Germany","winner_code":"GER","home_team_events":[{"id":1410,"type_of_event":"yellow-card","player":"Schweinsteiger","time":"29"},{"id":1411,"type_of_event":"substitution-out","player":"Kramer","time":"31"},{"id":1412,"type_of_event":"substitution-in","player":"Schürrle","time":"31"},{"id":1413,"type_of_event":"yellow-card","player":"Höwedes","time":"34"},{"id":1423,"type_of_event":"substitution-in","player":"Götze","time":"88"},{"id":1422,"type_of_event":"substitution-out","player":"Klose","time":"88"},{"id":1424,"type_of_event":"goal","player":"Götze","time":"113"},{"id":1425,"type_of_event":"substitution-out","player":"özil","time":"120"},{"id":1426,"type_of_event":"substitution-in","player":"Mertesacker","time":"120"}],"away_team_events":[{"id":1415,"type_of_event":"substitution-in halftime","player":"Aguero","time":"46"},{"id":1414,"type_of_event":"substitution-out halftime","player":"Lavezzi","time":"46"},{"id":1416,"type_of_event":"yellow-card","player":"Mascherano","time":"64"},{"id":1417,"type_of_event":"yellow-card","player":"Aguero","time":"65"},{"id":1419,"type_of_event":"substitution-in","player":"Palacio","time":"78"},{"id":1418,"type_of_event":"substitution-out","player":"Higuain","time":"78"},{"id":1420,"type_of_event":"substitution-out","player":"Perez","time":"86"},{"id":1421,"type_of_event":"substitution-in","player":"Gago","time":"86"}]}

we get field names like "away_team_events{}.type_of_event" and we would really like it to not contain the "{}".

2) Drilldown doesn't work from the "syntax highlight" view, the one that shows them collapsed/expanded. Clicking just does nothing!

Thanks ahead!


EDIT:
Field names -
1. it's annoying while writing searches, I think it's more harm than good.
2. we have been using XML up until now and it was great

Drilldown -
Yes, I meant modyfing the search according to the field values. It's just really buggy,

  1. sometimes it gives field names that don't exist and then we get no results.
  2. sometimes it simply doesn't work at all, clicking a field value nothing happens.

Example for the first case -
json search
after clicking "add to search"

I can't upload the other case, but it's very simple, clicking any of the search modifying options just does nothing.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

You are seeing the '{}' for all JSON arrays, to indicate that it is an array. Why does it bug you?

Also, in the event list, what do you expect to happen when you say "drilldown doesn't work"? There generally is no drilldown in the event list tab of the Search&Reporting app!?
Clicking an element value in syntax highlighted mode (as well as raw mode) should bring up a pop-up menue, allowing you to modify your search with that value or create a new search for it.

If I am not understanding your question, maybe a screenshot would help.

0 Karma

pembleton
Path Finder

Field names -
1. it's annoying while writing searches, I think it's more harm than good.
2. we have been using XML up until now and it was great

Drilldown -
Yes, I meant modyfing the search according to the field values. It's just really buggy,

  1. sometimes it gives field names that don't exist and then we get no results
  2. sometimes it simply doesn't work at all, clicking a field value nothing happens.

Example for the first case -
json search
after clicking "add to search"
I can't upload the other case, but it's very simple, clicking any of the search modifying options just does nothing.

0 Karma

roman_melko
Engager

I too have this issue (1 one, when {} appears in JSON multi-value field names). Is there any solution to cut it off except "| rename *{}* **" at search time? I would like to remove {} characters at some index time or at least to have this configured in conf files so it will be removed automatically.

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...