No, you can't (easily and efficiently) make such "dynamic" extraction. Splunk is very good at dealing with key-value fields, but it doesn't have any notion of "structure" in data. It can parse out j...
See more...
No, you can't (easily and efficiently) make such "dynamic" extraction. Splunk is very good at dealing with key-value fields, but it doesn't have any notion of "structure" in data. It can parse out json or xml into flat key-value pairs in several ways (auto_kv, spath/xpath, indexed extractions) but all those methods have some drawbacks as the structure of the data is lost and is only partially retained in field naming. So if you handle json/xml data it's often best idea (if you have the possibility of course) to influence the event-emiting side so that the events are easily parseable and can be processed in Splunk without much overhead. Because your data (which you haven't posted a sample of - shame on you ) most probably contains something like { [... some other part of json ...], "result": { "some_event_id": { [... event data... }, "another_event_id": { [... event data ...] } } } While it would be much better to have it as { [...] "result": { { "id": "first_id", [... result details ...] }, { "id": "another_id", [... result details ...] } } } It would be much better because then you'd have a static easily accessible field called id Of course from Splunk's point of view if you managed to flatten the events even more (possibly splitting it into several separate ones) would be even better. With this format you have, since it's not getting parsed as a multivalued field, since you don't have an array in your json but separate fields, it's gonna be tough. You might try some clever foreach magic but I can't guarantee success here. An example of such approach is here in the run-anywhere example: | makeresults | eval json="{\"result\":{\"1\":[{\"a\":\"n\"},{\"b\":\"m\"}],\"2\":[{\"a\":\"n\"},{\"b\":\"m\"}]}}" | spath input=json | foreach result.*{}.a [ | eval results=mvappend(results,"<<MATCHSTR>>" . ":" . '<<FIELD>>') ] | mvexpand results | eval resultsexpanded=split(results,":") | eval resultid=mvindex(resultsexpanded,0),resultvalue=mvindex(resultsexpanded,1) | table resultid,resultvalue But as you can see, it's nowhere pretty.