Now i very interested with command Spath of Splunk, can auto extract values JSON. But i can't extract it to field in index, sourcetype ?
Example: Raw json in field src_content:
| spath input=src_content
| table any_property_in_src_content
It will automatic extract fields, very good! But how save this fields ??
- Use Field alias, Calculated fields, Field extractions, Field transformations??
When data have many JSON form, property. If use regex then very hardcore 😞 not good same AUTOMACTIC of spath 😞
- This problem i think same in data model. Please help me solution.
End, i have a question, if a save raw json in field src_content in Datamodel, if query, search, report then i will use spath with src_content in datamodel. Then is its performance much slower?
... View more