×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
arminbashizade
Engager
Member since: ‎05-19-2021
‎05-28-2021
Community Statistics
Posts 2
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎05-19-2021
View All

Re: How can I deserialize a JSON string to be show...

by in Dashboards & Visualizations
‎05-28-2021 10:56 AM
‎05-28-2021 10:56 AM
Thanks @ITWhisperer ! That helped with finding the answer. I can't pass the job id from the table result, because the result is still a table and does not include events. However, I can have both panels share the same job. I created another panel and hid it. This hidden panel runs the same search as the table panel, but without the last " | table ..." command, so that I can have a result set of events. Then I changed both table and panel event to load that job and search through that. The table panel uses a query like this: | loadjob $job_id$ | table Time, Level, Message,... And events panel uses a query like this: | loadjob $job_id$ | search EventId=$selected_event_id$   Note that if the hidden panel search does not extract the fields you're going to use when you load the job, you need to add "spath" after "loadjob", e.g. | loadjob $job_id$ | spath | table Time,...   see this question for how to store job id in a token: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-get-search-ID-job-sid-from-XML-dashboard-in-JavaScript/m-p/374089 for hiding a panel: <panel depends="$always_hide$"> </panel>   ... View more

How can I deserialize a JSON string to be shown as...

by in Dashboards & Visualizations
‎05-25-2021 10:05 AM
‎05-25-2021 10:05 AM
I've created a dashboard for searching and filtering events, and it consists of two panels for presenting the results: a table to show a summary of the events based on search criteria, columns are: Time, CorrelationId, Service Name, Log Level, and Message, which are shared attributes among all events an Events panel to show the entirety of an event, which includes attributes that are specific to an event and are not shared with other events, e.g. Stack Trace for errors the table's drilldown is set to "row", and when a row is clicked it sets some tokens that are used to search again to find that event and show it on the Events panel. My goal is to avoid the second search, because the event is already retrieved by the table panel. I've tried passing _raw from table panel to events panel and use makeresults but that command creates a table row and can only be viewed under Statistics/Table tab and does not show anything when Events/List tab is selected. What I need is to view the event in the format that is shown in the screenshot below: I know that renaming a JSON to _raw will deserialize it, but that requires a result-set of events to begin with, e.g.       * | head 1 | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw       will show the new JSON instead of the original event but the below query with makeresults does not give the same result:       | makeresults | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw         only Statistics tab shows results.   To summarize, I want to get the event in the format that can be seen in the first screenshot above, but without running a search, because I already have the entire event, including its _raw. Any help is appreciated! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-28-2021 02:44 PM
Karma given to
View All