json_extend Scalar Bug, or Coercing JSON Scalars i...

tscroggins · ‎12-13-2025

Hi Splunkers!

In the current json_extend documentation <https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/evaluation-functions/json-fun...>, if <path> specifies "a scalar or object value," the value should be "[autowrapped] ... within an array;" however, this doesn't appear to be the case:

| makeresults
| eval obj=json_object("foo", "bar") ``` or obj="{\"foo\":\"bar\"}" ```
| eval arr=json_extend(obj, "foo", json_array("baz")) ``` or arr=json_extend(obj, "foo", "[\"baz\"]") ```

If I understand the documentation correctly, "bar" should be coerced to the array ["bar"] and then extended to ["bar","baz"], but it is not. The original object is returned unmodified. json_extend works correctly when the input value is already an array:

| makeresults
| eval obj=json_object("foo", json_array("bar", "baz"))
| eval arr=json_extend(obj, "foo", json_array("qux"))

The example was contrived to illustrate the issue. In practice, the value of foo may be either an array or a scalar. For example, the lookup eval function returns a scaler on a single match and an array on multiple matches. json_extract is similarly inconsistent when it returns a Splunk native type for scalars and a string for arrays:

| makeresults
| eval obj=json_object("foo", "bar")
| eval val=json_extract(obj, "foo") ``` ==> foo ```
| eval obj=json_object("foo", json_array("bar", "baz"))
| eval val=json_extract(obj, "foo") ``` ==> ["bar","baz"] ```

If scalars can be coerced into arrays, values that may be either scalars or arrays can be parsed by json_array_to_mv or other functions without custom wrappers using if, case, replace, etc.

Have you encountered this issue? How have you solved it?

PickleRick · ‎12-13-2025

I can confirm that it does indeed seem to work not as it is described in the docs. So it warrants a support case.

A walkaround would require some dirty trick with checking whether an element is a scalar or not (possibly with json_array_to_mv(json_extract(...)) and then do json_delete() and json_append(). Very ugly.

tscroggins · ‎12-14-2025

The "autowrap" functionality was introduced (according to documentation) in 9.2.0 <https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.2/evaluation-functions/js...>.

I just tested in 9.2.0.1, and the behavior is the same as 10.0. I'm not going to test every maintenance release between then and now, but I'd guess it's never worked as documented.

tscroggins · ‎12-14-2025

This is for me, not a customer; I only have a dev license.

PickleRick · ‎12-14-2025

You could post a docs feedback instead.

tscroggins · ‎12-14-2025

So much feedback for the new documentation SPA. 😉 Edit: I've posted feedback. Pre-Cisco, feedback was very effective; I've not submitted anything since the acquisition, so we'll see! Grammar and syntax have taken a downturn over the last year or so.

json_extend Scalar Bug, or Coercing JSON Scalars into JSON Arrays

eval

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation