Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searching and viewing json sourcetypes, why do extracted field names contain "{}" characters and drilldown doesn't work from the "syntax highlight" view?

pembleton
Path Finder
‎03-02-2015 08:57 AM

Hey there,

Two problems with searching and viewing json sourcetypes:

1) Anybody know what's the deal with the json extracted field names?
we get the dict "{}" thing inside the field names and it drives me crazy.

For example, for this dict:

{"match_number":64,"location":"Estadio do Maracana","datetime":"2014-07-13T16:00:00.000-03:00","status":"completed","home_team":{"country":"Germany","code":"GER","goals":1},"away_team":{"country":"Argentina","code":"ARG","goals":0},"winner":"Germany","winner_code":"GER","home_team_events":[{"id":1410,"type_of_event":"yellow-card","player":"Schweinsteiger","time":"29"},{"id":1411,"type_of_event":"substitution-out","player":"Kramer","time":"31"},{"id":1412,"type_of_event":"substitution-in","player":"Schürrle","time":"31"},{"id":1413,"type_of_event":"yellow-card","player":"Höwedes","time":"34"},{"id":1423,"type_of_event":"substitution-in","player":"Götze","time":"88"},{"id":1422,"type_of_event":"substitution-out","player":"Klose","time":"88"},{"id":1424,"type_of_event":"goal","player":"Götze","time":"113"},{"id":1425,"type_of_event":"substitution-out","player":"özil","time":"120"},{"id":1426,"type_of_event":"substitution-in","player":"Mertesacker","time":"120"}],"away_team_events":[{"id":1415,"type_of_event":"substitution-in halftime","player":"Aguero","time":"46"},{"id":1414,"type_of_event":"substitution-out halftime","player":"Lavezzi","time":"46"},{"id":1416,"type_of_event":"yellow-card","player":"Mascherano","time":"64"},{"id":1417,"type_of_event":"yellow-card","player":"Aguero","time":"65"},{"id":1419,"type_of_event":"substitution-in","player":"Palacio","time":"78"},{"id":1418,"type_of_event":"substitution-out","player":"Higuain","time":"78"},{"id":1420,"type_of_event":"substitution-out","player":"Perez","time":"86"},{"id":1421,"type_of_event":"substitution-in","player":"Gago","time":"86"}]}

we get field names like "away_team_events{}.type_of_event" and we would really like it to not contain the "{}".

2) Drilldown doesn't work from the "syntax highlight" view, the one that shows them collapsed/expanded. Clicking just does nothing!

Thanks ahead!

EDIT:
Field names -
1. it's annoying while writing searches, I think it's more harm than good.
2. we have been using XML up until now and it was great

Drilldown -
Yes, I meant modyfing the search according to the field values. It's just really buggy,

  1. sometimes it gives field names that don't exist and then we get no results.
  2. sometimes it simply doesn't work at all, clicking a field value nothing happens.

Example for the first case -
json search
after clicking "add to search"

I can't upload the other case, but it's very simple, clicking any of the search modifying options just does nothing.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎03-02-2015 09:56 PM

You are seeing the '{}' for all JSON arrays, to indicate that it is an array. Why does it bug you?

Also, in the event list, what do you expect to happen when you say "drilldown doesn't work"? There generally is no drilldown in the event list tab of the Search&Reporting app!?
Clicking an element value in syntax highlighted mode (as well as raw mode) should bring up a pop-up menue, allowing you to modify your search with that value or create a new search for it.

If I am not understanding your question, maybe a screenshot would help.

0 Karma
Reply

pembleton
Path Finder
‎03-08-2015 01:07 AM

Field names -
1. it's annoying while writing searches, I think it's more harm than good.
2. we have been using XML up until now and it was great

Drilldown -
Yes, I meant modyfing the search according to the field values. It's just really buggy,

  1. sometimes it gives field names that don't exist and then we get no results
  2. sometimes it simply doesn't work at all, clicking a field value nothing happens.

Example for the first case -
json search
after clicking "add to search"
I can't upload the other case, but it's very simple, clicking any of the search modifying options just does nothing.

0 Karma
Reply

roman_melko
Engager
‎12-01-2016 02:00 AM

I too have this issue (1 one, when {} appears in JSON multi-value field names). Is there any solution to cut it off except "| rename *{}* **" at search time? I would like to remove {} characters at some index time or at least to have this configured in conf files so it will be removed automatically.

Thanks in advance.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...