topic Re: How to filter out specific rows in a table when the values come from JSON list ? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442598#M77116 <P>@bugnet</P> <P>Can you please try this?</P> <PRE><CODE>index="alerts" | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" | spath id | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" as Type | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" as Value | eval temp=mvzip(Type,Value) | mvexpand temp | eval Type = mvindex(split(temp,","),0), Value = mvindex(split(temp,","),1) | where Type="sector" | table Type Value id </CODE></PRE> Thu, 27 Jun 2019 08:59:08 GMT kamlesh_vaghela 2019-06-27T08:59:08Z How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442593#M77111 <P>Hi all, </P> <P>I have a table like the one below, with a column containing 'Type', 'Value', 'alert id'.<BR /> the problem is that the columns Type and Value coming from JSON list and I can't find a way to select specific values. <BR /> I want to show in the table specific values with the same 'id'.</P> <P>Search:</P> <PRE><CODE>index="alerts" | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" | spath id | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" as Type | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" as Value | table Type Value id | where Type="sector" </CODE></PRE> <P>Results: (I want to show only the sector Type)<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7247i6C1CE3B023E3BF6C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 26 Jun 2019 11:41:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442593#M77111 bugnet 2019-06-26T11:41:10Z Re: How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442594#M77112 <P>You asked it (at the end of your search) for events where Type = sector, and both returned events do INDEED have "sector" in their Type. What it is that you want instead - to return only the portions that actually correspond to the "sector" field?</P> <P>E.g. you would like a list that has 7 rows in it, corresponding to the 7 "sector" values?</P> <P>Does that sound right?</P> Wed, 26 Jun 2019 13:51:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442594#M77112 Richfez 2019-06-26T13:51:26Z Re: How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442595#M77113 <P>@rich7177 Yes, I want to return only the portions that actually correspond to the "sector" field.</P> Thu, 27 Jun 2019 07:45:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442595#M77113 bugnet 2019-06-27T07:45:38Z Re: How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442596#M77114 <P>@bugnet </P> <P>Can you please share sample event with masking values AND expected results?? </P> Thu, 27 Jun 2019 07:51:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442596#M77114 kamlesh_vaghela 2019-06-27T07:51:00Z Re: How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442597#M77115 <P>Expected results: </P> <P><A href="https://ibb.co/RNxsJtY">https://ibb.co/RNxsJtY</A></P> Thu, 27 Jun 2019 08:18:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442597#M77115 bugnet 2019-06-27T08:18:52Z Re: How to filter out specific rows in a table when the values come from JSON list ? https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442598#M77116 <P>@bugnet</P> <P>Can you please try this?</P> <PRE><CODE>index="alerts" | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" | spath id | spath "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.type" as Type | rename "MISP{}.FullContext{}.Event.Galaxy{}.GalaxyCluster{}.value" as Value | eval temp=mvzip(Type,Value) | mvexpand temp | eval Type = mvindex(split(temp,","),0), Value = mvindex(split(temp,","),1) | where Type="sector" | table Type Value id </CODE></PRE> Thu, 27 Jun 2019 08:59:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-specific-rows-in-a-table-when-the-values-come/m-p/442598#M77116 kamlesh_vaghela 2019-06-27T08:59:08Z