Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search - is it possible to automatically expand a result property wrap?

gunnist
Explorer
‎08-23-2021 06:47 AM

Hi,
In my query:


index="my_local" | sort -Date

I get a list of items, and if I look at one item (and lick "show as raw text") it looks like this:

{"Level":"Info","MessageTemplate":"ApiRequest","RenderedMessage":"ApiRequest","Properties":{"httpMethod":"GET","statusCode":200}, ...}

Since a lot of the properties are wrapped inside "Properties", I always have to expand it manually by clicking the expand icon (with plus sign).

Is there any way to get the search results already expanded (so I don't always have to click "Properties" to manually expand it)?

Many thanks! 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎08-23-2021 07:02 AM

You can use mvexpand.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎08-23-2021 07:02 AM

You can use mvexpand.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

gunnist
Explorer
‎08-23-2021 09:26 AM

source=my_local| sort -Date | mvexpand Properties

gives me:

Field 'Properties' does not exist in the data.

 

Am I missing something?

 

0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎08-23-2021 10:12 AM

Does that field exist? And is it a multi-value field?

To verify try something like: source=my_local | table +

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...