JMESPath (pronounced "james path") makes dealing with JSON data in Splunk easier by leveraging a standardized query language for JSON. This allows you to declaratively specify how to extract elements from a JSON document. In many ways, this is a more powerful
jmespath "jmespath-string" [field=field] [outfield=field] [default=string] jsonformat [indent=int] [order=undefined|preserve|sort] field [AS field]
Full documentation regarding this app, how to use it, along with various tips and tricks about how to best extract and format your JSON events is available on the GitHub wiki page. See the official JMESPath for Splunk documention. Many "run-anywhere examples are provided throughout to help new users get a solid understanding of this tool.
See the Install an add-on in Splunk's official documentation. There are no extra install steps. No configuration is required.
See the full Change log
Please check out the JMESPath for Splunk documention
* Minor bug fixes.
* Added a new output mode to jsonformat that allows for the creation of run-anywhere examples. Use "output_mode=makeresults"
* Update jsonformat to use order preservation by default. (You can revert to the older, faster, behaviour with "order=undefined").
* External library refresh: jmespath 0.9.4 and splunk-sdk 1.6.6
1.9.4 (Nov 13, 2018) Fourth public 2.0 release candidate
- Fix bug with mvlist inputs. (More of a just-dont-crash-workaround for the moment).
- Enhance output so that mvfields are only used as needed. Also eliminated the scenario where a single value could be unnecessarily wrapped in a single item list and therefore be returned as a JSON string.
1.9.3 (Nov 13, 2018) Third public 2.0 release candidate
- Adds wildcard support for the 'output' argument. This allows hashes to be expanded into multiple output fields in one invocation to jmespath.
- Fixed bug in the 'unroll()' function.
- Added support for quoting within the JMESpath expression, thus allowing support for keys that contain symbols.
Second public 2.0 release candidate
- Adds secondary search command: jsonformat which supports formatting JSON events and/or fields, syntax validation, control over key ordering and so on. (Also contains an Easter egg where it can convert a python repr string into a valid JSON object, helpful for debugging splunklib searchcommand logs.)
- Adds the Splunk Python SDK (1.6.5) for use with jsonformat and eventually jmespath.
- Using SCP2 format so dropping 6.2 and earlier, though you could probably still make it work if you really wanted to...
First public 2.0 release candidate
- Add several custom functions to JMESPath core to simplify common Splunk data scenarios.
- BREAKING CHANGE: Switched to use `spath` style arguments instead of `xpath` style. (Technically a compatibility layer is in place, but I'm hoping not to keep that around too long.)
- Ensure that complex results are always returned as a JSON string, not as a python representation format. This allows subsequent processing with less hassle.
- Significant expansion of docs and UI feedback.
Add `appIcon.png` images to resolve app inspect issue.
# First stable release
* Fixed various internal errors and enhanced stability
* Error messages are now reported to the user. Global errors (like a syntax issue, or attempting to use a non-existant function) will result in an error, whereas issues with individual events get logged to a hidden field `_jmespath_error` since often these can be safely ignored.
* The jmespath python library was update from 0.9.0 to 0.9.3 (latest stable release)
# Under new management
The original creator of this project no longer has time to maintain it, so I'm stepping in. I'm pulling the code to GitHub so anyone can contribute and pickup from where I left off, you know, in case I also don't release any updates for 2 years.
More info here: https://github.com/Kintyre/jmespath/
Please direct all issues and enhancements via GitHub issues. Or ping me `@lowell` on Splunk's usergroup Slack.
Fixed flatten procedure.
Any integer values found need to be converted to a string.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.