Solved: Re: Splunk search - is it possible to automaticall...

gunnist · ‎08-23-2021

Hi,
In my query:

index="my_local" | sort -Date

I get a list of items, and if I look at one item (and lick "show as raw text") it looks like this:

{"Level":"Info","MessageTemplate":"ApiRequest","RenderedMessage":"ApiRequest","Properties":{"httpMethod":"GET","statusCode":200}, ...}

Since a lot of the properties are wrapped inside "Properties", I always have to expand it manually by clicking the expand icon (with plus sign).

Is there any way to get the search results already expanded (so I don't always have to click "Properties" to manually expand it)?

Many thanks! 🙂

codebuilder · ‎08-23-2021

You can use mvexpand.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎08-23-2021

You can use mvexpand.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!

gunnist · ‎08-23-2021

source=my_local| sort -Date | mvexpand Properties

gives me:

Field 'Properties' does not exist in the data.

Am I missing something?

codebuilder · ‎08-23-2021

Does that field exist? And is it a multi-value field?

To verify try something like: source=my_local | table +

----
An upvote would be appreciated and Accept Solution if it helps!

Splunk search - is it possible to automatically expand a result property wrap?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!