Solved: Re: display all values of JSON field in a table if...

dasaed · ‎01-20-2022

I have a JSON with a field containing another object, but this object varies depending on type. For example, you may have these 3 logs under the same sourcetype/index:

{ "Log":"something","user": "me" ,"type":"car", "data": {"case1":"something"} }
{ "Log":"something","user": "me" ,"type":"apple", "data": {"fruity":"yummy"} }
{ "Log":"something","user": "me","type":"Cauliflower", "data":{"veggie":"eww", "fact":"good for you"} }

and I want a table query to look something like this:
user | data
me | {"case1":"something"}
me | {"fruity":"yummy"}
me | {"veggie":"eww", "fact":"good for you"}

I tried the following query:
index=mylog | table user,data
but my results usually look like this (with either nulls or straight up empty):
user | data
me | null
me |
me | null

data itself may sometimes be very long, but I would still like to see its entire output in the table. How can I go about this?

ITWhisperer · ‎01-20-2022

| spath path=user
| spath path=data
| table user data

View solution in original post

ITWhisperer · ‎01-20-2022

| spath path=user
| spath path=data
| table user data

yuanliu · ‎01-22-2022

path=user is not necessary for this dataset. But that's a great illustration of path option in spath!

richgalloway · ‎01-20-2022

Have you tried index=mylog | table user,data.* ?

---
If this reply helps you, Karma would be appreciated.

display all values of JSON field in a table if you don't know the structure of the json

field extraction

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

display all values of JSON field in a table if you don't know the structure of the json

field extraction

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR