is it recommended to do a json extract after the GeoIP function?

Josh Brunvoll

Hey Folks, i have a silly Q, I am using GeoIP with maxminddbs and it adds a json array like it should. When it gets into Splunk, the only way to search elements in the array requires an | spath command and cant search like a normal key=value. is it recommended to do a json extract after the GeoIP function? if not, how should I pull those fields?

Jon Rust

i'd use flatten, and filter out the unwanted entries (other languages etc)

Josh Brunvoll

Ohh Flatten. Didnt even cross my mind on that command. Thanks a bunch!

Jon Rust

Eval to remove junk fields:

Jon Rust

then flatten

Jon Rust

then Rename: