Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

json_extend Scalar Bug, or Coercing JSON Scalars into JSON Arrays

tscroggins
Influencer
a week ago

Hi Splunkers!

In the current json_extend documentation <https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/evaluation-functions/json-fun...>, if <path> specifies "a scalar or object value," the value should be "[autowrapped] ... within an array;" however, this doesn't appear to be the case:

| makeresults
| eval obj=json_object("foo", "bar") ``` or obj="{\"foo\":\"bar\"}" ```
| eval arr=json_extend(obj, "foo", json_array("baz")) ``` or arr=json_extend(obj, "foo", "[\"baz\"]") ```

If I understand the documentation correctly, "bar" should be coerced to the array ["bar"] and then extended to ["bar","baz"], but it is not. The original object is returned unmodified. json_extend works correctly when the input value is already an array:

| makeresults
| eval obj=json_object("foo", json_array("bar", "baz"))
| eval arr=json_extend(obj, "foo", json_array("qux"))

The example was contrived to illustrate the issue. In practice, the value of foo may be either an array or a scalar. For example, the lookup eval function returns a scaler on a single match and an array on multiple matches. json_extract is similarly inconsistent when it returns a Splunk native type for scalars and a string for arrays:

| makeresults
| eval obj=json_object("foo", "bar")
| eval val=json_extract(obj, "foo") ``` ==> foo ```
| eval obj=json_object("foo", json_array("bar", "baz"))
| eval val=json_extract(obj, "foo") ``` ==> ["bar","baz"] ```

If scalars can be coerced into arrays, values that may be either scalars or arrays can be parsed by json_array_to_mv or other functions without custom wrappers using if, case, replace, etc.

Have you encountered this issue? How have you solved it?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

I can confirm that it does indeed seem to work not as it is described in the docs. So it warrants a support case.

A walkaround would require some dirty trick with checking whether an element is a scalar or not (possibly with json_array_to_mv(json_extract(...)) and then do json_delete() and json_append(). Very ugly.

0 Karma
Reply

tscroggins
Influencer
Sunday

The "autowrap" functionality was introduced (according to documentation) in 9.2.0 <https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.2/evaluation-functions/js...>.

I just tested in 9.2.0.1, and the behavior is the same as 10.0. I'm not going to test every maintenance release between then and now, but I'd guess it's never worked as documented.

0 Karma
Reply

tscroggins
Influencer
Sunday

This is for me, not a customer; I only have a dev license.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Sunday

You could post a docs feedback instead.

0 Karma
Reply

tscroggins
Influencer
Sunday

So much feedback for the new documentation SPA. 😉 Edit: I've posted feedback. Pre-Cisco, feedback was very effective; I've not submitted anything since the acquisition, so we'll see! Grammar and syntax have taken a downturn over the last year or so.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...