-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Welcome to the official docs for the JMESPath app for Splunk!
Splunk users can download and install the latest release from SplunkBase. Developers can get early access to upcoming release and contribute to this app on GitHub.
All of this documentation assumes that your running version 2.0 of the app or later. (Or currently, the 1.9.x series which is a pre-release for 2.0.x). There were some backwards compatibility breaks between 1.0 and 2.0 so beware of what version you are running. Really early releases disabled upgrade-checking, so the UI may not tell you that an new version is available for release. (As far as I know, no one was actually using 1.0, if that's not true please contact me!)
This app adds 2 new search commands to your Splunk instance:
jmespath "<jmespath-string>" [input=<field>] [output=<field>] [default=<string>]
jsonformat [indent=<int>] [order=undefined|preserve|sort] <field> [AS <field>]
Full command reference:
Throughout this documentation you'll find many "run-anywhere" examples that are intended to allow new users to quickly test out new concepts with minimal effort. Nearly all of these do require that you have already install jmespath in your Splunk environment first. You should be able to simply copy-n-paste the entire example and be testing it on your local instance within a few seconds.
While often ugly, these example do allow you to easily have an up-and-running example without requiring that you have the exact same JSON events or data feed available locally. You can test out a concept quickly and easily without fear of damaging anything.
Here's a trivial example to get you started:
| makeresults | eval _raw="{\"doc\":{\"jmespath\":\"JMESPath rocks\"}}"
| jmespath output=newfield doc.jmespath | table newfield
- Introduction
- So what is JMESPath?
- What's wrong with spath?
- Command Reference
- Tutorial (Search examples)
- Change Log