topic array in Splunk Search

array

vinod0313 — Tue, 25 Aug 2020 08:37:53 GMT

Hello

I have log like below

FEATURES_USING=[tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]

I want result should be like below

tokenValidatorInfo=false

equestValidationRequired=false
requestPayloadValidationRequired=false
responsePayloadValidationRequired=false
aopUsed=false
tibcoCommunicatorUsed=false
secretsSecured=false

Re: array

ITWhisperer — Tue, 25 Aug 2020 09:52:10 GMT

Hi @vinod0313

It is not clear if you have already extracted any fields but assuming not:

| makeresults | eval log="FEATURES_USING=[tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]" | rex field=log "FEATURES_USING=\[(?<feature>.*)\]" | makemv delim=", " feature | mvexpand feature | fields feature

You could extract the part between the [] into a field, then make it multi-value using ", " as your delimiter, then expand the multi-value field into separate rows.

Re: array

vinod0313 — Tue, 25 Aug 2020 10:30:23 GMT

it is not working

my log is shown below

05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]

I want result should like below

TOKEN_VALIDATION=false
REQUETS_VALIDATION=false
REQUEST_PAYLOAD_VALIDATION=false
-
-

Re: array

ITWhisperer — Tue, 25 Aug 2020 10:46:12 GMT

Always good to have a real example! However, what is not working?

| makeresults | eval log="05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]" | rex field=log "FEATURES_USING=\[(?<feature>.*)\]" | makemv delim=", " feature | mvexpand feature | fields feature

Gives:

feature

TOKEN_VALIDATION=false

REQUETS_VALIDATION=false

REQUEST_PAYLOAD_VALIDATION=false

RESPONSE_PAYLOAD_VALIDATION=false

AOP=false

TIBCO_COMMUNICATOR=false

SECRETS_SECURE=false

Re: array

vinod0313 — Tue, 25 Aug 2020 10:54:38 GMT

i am getting below events i am not getting actual expected results

Re: array

ITWhisperer — Tue, 25 Aug 2020 10:59:16 GMT

Yes, the events don't change - you need to look at the results - try adding

| table feature

Then look at the statistics tab

Re: array

vinod0313 — Tue, 25 Aug 2020 11:03:40 GMT

I have added it.

Re: array

ITWhisperer — Tue, 25 Aug 2020 11:07:29 GMT

OK you took my solution too literally! The rex has to be applied to your _raw not my made up log field:

| rex field=_raw "FEATURES_USING=\[(?<feature>.*)\]"

Unless you have already extract FEATURES_USING into its own field

Re: array

to4kawa — Wed, 26 Aug 2020 11:05:39 GMT

index=_internal | head 1 | fields _raw | eval _raw="05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]" | kv

and search with smart mode