icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading JMESPath for Splunk
SHA256 checksum (jmespath-for-splunk_195.tgz) ca5d403afbbcb3e27ff957aabbc667433bdb1812b142b5aa0fec556c7bff4950 SHA256 checksum (jmespath-for-splunk_194.tgz) fa831a4d927c78aee9a6d46d22dca52acb179d58020bacb717a05190dd39e253 SHA256 checksum (jmespath-for-splunk_193.tgz) d38f63c72a64fbad31ff30ef494698f06457dd6c4c1f05c4bb6c5a43b3881aae SHA256 checksum (jmespath-for-splunk_192.tgz) bb1bf1b320a97f9c7141969de34ccd2ff8a609fefe12062f735e8847fec41ae5 SHA256 checksum (jmespath-for-splunk_191.tgz) 5d39d37937428db3f8183f212d052d0254d1bc07b0fb3816eea6e23fd8704144 SHA256 checksum (jmespath-for-splunk_102.tgz) 351eb216320d2eab7276596db37c4e4ef14048e9ac3ec7147eb677547c7fad71 SHA256 checksum (jmespath-for-splunk_101.tgz) 57e610b2391da6ff15da1ab8611a3ca6905769f5fc43cb1ea018f66d30a1fe1b SHA256 checksum (jmespath-for-splunk_10rc2.tgz) 7a9708e1b8c10705dc70e52cbba1317c033602a45501da327cb3ce348e937586 SHA256 checksum (jmespath-for-splunk_10rc.tgz) c88c7dca3fd0b1c4a9a6dabccd8f6e0dd2df620cfe9b28974278a134cc406007
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

JMESPath for Splunk

Splunk AppInspect Passed
JMESPath for Splunk expands builtin JSON processing abilities with a powerful standardized query language. This app provides two JSON-specific search commands to reduce your search and development efforts:

* jmespath - Precision query tool for JSON events or fields
* jsonformat - Format, validate, and order JSON content

In some cases, a single jmsepath call can replace a half-dozen built-in search commands. Sound too good to be true? The jmespath command can parse nested JSON strings and unroll arrays {Name: x, Value: y} hashes with ease. Checkout the examples and try it yourself!

NOTE: The 1.0.x series is stable and the 1.9.x release are in preparation for 2.0.0. Some backwards compatibility changes are planned and several things aren't yet set in stone. Contact us if you have any concerns or would like to be involved.

More Information and JMESPath tutorials can be found here:


JMESPath for Splunk

JMESPath (pronounced "james path") makes dealing with JSON data in Splunk easier by leveraging a standardized query language for JSON. This allows you to declaratively specify how to extract elements from a JSON document. In many ways, this is a more powerful spath.

Splunk users can download and install the app from SplunkBase. Developers can access the full source code on GitHub.


jmespath "jmespath-string" [field=field] [outfield=field] [default=string]
jsonformat [indent=int] [order=undefined|preserve|sort] field [AS field]

Full reference:


Full documentation regarding this app, how to use it, along with various tips and tricks about how to best extract and format your JSON events is available on the GitHub wiki page. See the official JMESPath for Splunk documention. Many "run-anywhere examples are provided throughout to help new users get a solid understanding of this tool.

Installation & Configuration

See the Install an add-on in Splunk's official documentation. There are no extra install steps. No configuration is required.


Community support is available on best-effort basis only. For information about commercial support, contact Kintyre
Issues are tracked via GitHub


See the full Change log

Please check out the JMESPath for Splunk documention

Release Notes

Version 1.9.5
March 20, 2019

* Minor bug fixes.
* Added a new output mode to jsonformat that allows for the creation of run-anywhere examples. Use "output_mode=makeresults"
* Update jsonformat to use order preservation by default. (You can revert to the older, faster, behaviour with "order=undefined").
* External library refresh: jmespath 0.9.4 and splunk-sdk 1.6.6

Version 1.9.4
Nov. 14, 2018

1.9.4 (Nov 13, 2018) Fourth public 2.0 release candidate
- Fix bug with mvlist inputs. (More of a just-dont-crash-workaround for the moment).
- Enhance output so that mvfields are only used as needed. Also eliminated the scenario where a single value could be unnecessarily wrapped in a single item list and therefore be returned as a JSON string.

Version 1.9.3
Nov. 14, 2018

1.9.3 (Nov 13, 2018) Third public 2.0 release candidate

- Adds wildcard support for the 'output' argument. This allows hashes to be expanded into multiple output fields in one invocation to jmespath.
- Fixed bug in the 'unroll()' function.
- Added support for quoting within the JMESpath expression, thus allowing support for keys that contain symbols.

Version 1.9.2
Nov. 13, 2018

Second public 2.0 release candidate

- Adds secondary search command: jsonformat which supports formatting JSON events and/or fields, syntax validation, control over key ordering and so on. (Also contains an Easter egg where it can convert a python repr string into a valid JSON object, helpful for debugging splunklib searchcommand logs.)
- Adds the Splunk Python SDK (1.6.5) for use with jsonformat and eventually jmespath.
- Using SCP2 format so dropping 6.2 and earlier, though you could probably still make it work if you really wanted to...

Version 1.9.1
Nov. 13, 2018

First public 2.0 release candidate

- Add several custom functions to JMESPath core to simplify common Splunk data scenarios.
- BREAKING CHANGE: Switched to use `spath` style arguments instead of `xpath` style. (Technically a compatibility layer is in place, but I'm hoping not to keep that around too long.)
- Ensure that complex results are always returned as a JSON string, not as a python representation format. This allows subsequent processing with less hassle.
- Significant expansion of docs and UI feedback.

Version 1.0.2
Nov. 9, 2018

Add `appIcon.png` images to resolve app inspect issue.

Version 1.0.1
Nov. 9, 2018

# First stable release

* Fixed various internal errors and enhanced stability
* Error messages are now reported to the user. Global errors (like a syntax issue, or attempting to use a non-existant function) will result in an error, whereas issues with individual events get logged to a hidden field `_jmespath_error` since often these can be safely ignored.
* The jmespath python library was update from 0.9.0 to 0.9.3 (latest stable release)

# Under new management

The original creator of this project no longer has time to maintain it, so I'm stepping in. I'm pulling the code to GitHub so anyone can contribute and pickup from where I left off, you know, in case I also don't release any updates for 2 years.

More info here: https://github.com/Kintyre/jmespath/

Please direct all issues and enhancements via GitHub issues. Or ping me `@lowell` on Splunk's usergroup Slack.

Version 1.0RC2
July 26, 2016

Fixed flatten procedure.

Version 1.0RC
July 24, 2016

Fixed issue:
Any integer values found need to be converted to a string.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.