JMESPath for Splunk
JMESPath (pronounced "james path") makes dealing with JSON data in Splunk easier by leveraging a standardized query language for JSON. This allows you to declaratively specify how to extract elements from a JSON document. In many ways, this is a better spath.
Splunk users can download and install the latest release from SplunkBase. Developers can access and contribute to this app on GitHub.
jmespath "<jmespath-string>" [input=<field>] [output=<field>] [default=<string>]
jsonformat [indent=<int>] [order=undefined|preserve|sort] <field> [AS <field>]
Full documentation regarding this app, how to use it, along with various tips and tricks about how to best extract and format your JSON events is available on the GitHub wiki page. See the official JMESPath for Splunk documentation. Many "run-anywhere" examples are provided throughout to help new users get a solid understanding of this tool.
See the Install an add-on in Splunk's official documentation. There are no extra install steps. No configuration is required.
| Sourcetype | Purpose |
|---|---|
| command:jmespath | Internal logs and stats related to custom Jmespath SPL command. |
| command:jsonformat | Internal logs and stats related to custom Jmespath SPL command. |
Find internal/script errors:
Add logging_level=DEBUG to your existing query to enable additional debug logs:
| jsonformat logging_level=DEBUG ...
Search the above debug logs, or other messages from or about the Jmespath SPL search command:
index=_internal (source=*jmespath.log*) OR (sourcetype=splunkd jsonformat.py)
Review SPL search command logs group by request:
index=_internal sourcetype=command:jsonformat | transaction host Pid
Apache License 2
If you would like to develop or build this TA from source, see the development documentation.
- jmespath Docs: https://jmespath.org
Community support is available on best-effort basis. For information about commercial support, contact Kintyre. Issues are tracked via GitHub
See the full Change log
- John Berwick: original author of this Splunk app
- Lowell Alleman: current maintainer
- James Saryerwinnie: author of JMESPath Python library
- Mike Rybar: Logo
This addon was built from the Kintyre Splunk App builder (version 1.11.5) cookiecutter project.