Solved: how to convert JSON property of event to string? - Splunk Community

Splunk Search

Hello,

I have a HEC with events like the following:

{
    "Log": {
        "Status": "Ordered",
        "Platform": {
            "A": {
                "Tracking": {"Field1": "Value1", "Field2": "Value2"}
            }
        }
    }
}

When I run the query

index="my_index" AND Log.Status="Ordered" 
| table Log.Status Log.Platform.A.Tracking

I get all the data for Status.
However my requirement is to have the JSON object Log.Platform.A.Tracking in a string format - the JSON as a String?

How can I achieve this?

1 Solution

Solution

| spath path=Log.Status output=Status
| spath path=Log.Platform.A.Tracking output=Tracking
| table Status Tracking

View solution in original post

Thank you so much!

Solution

| spath path=Log.Status output=Status
| spath path=Log.Platform.A.Tracking output=Tracking
| table Status Tracking

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Thursday, July 10, 2025 | 11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...