This page in the Splunk training wiki area, discusses an array of miscellaneous tips anything from saving time, to how to approach solving a data problem, to a small performance tweak, to external tools needed to massage the data or form a query.
1. Working with JSON
The OM mediabar data is ingested into Splunk as ‘sourcetype’=_json which is a built in type of Splunk so it knows how to read JSON. The logging by OM components are, in part or in total, in JSON format so it is useful to have tool(s) to help read compacted JSON, expand it, query it, or change it.
1.1. 'jq'
My tool of choice is ‘jq', a lightweight fast JSON processor. I use it by command line but there are many third-parties that have built upon it so if you prefer UI, go to jqplay.org.
1.1.1. Create JSON format Splunk search results
The JSON formatted Splunk query results from the page were created by followed this process:
Run a search in Splunk search app, click the button to the right and above the searchbar and download/export to CSV.
Copy and paste the CSV contents in plain text into left side pane at jqplay.org.
Write your filter command and your JSON formatted results are generated on the right side pane at jqplay.org.
The outcome looks like Figure 1 below (this is the customer CTI environment query on page ),
Note: the Filter shown below only has a slight complexity for the ‘hisurl’ field but it is not required, therefore, you can copy and paste the Filter below and then change field names and their order (aka map({“field0”: .[0], “field1”: .[1], “field2”: .[2], etc.) and it will work for any CSV.
 |