topic Re: Return Value from specific key within an Object in Splunk Search

How to return value from specific key within an object?

bmohammadi — Thu, 11 Aug 2022 15:08:30 GMT

Dear Community,

I am new to Splunk so apologies for the newbie question:

Basic Problem

I have a field which holds an Object and I am having difficulties retrieving a value from a specific key within this object.

Purpose

I am running a search and I want to retrieve two datetime values from two separate keys within a field, find the difference between these 2 datetime values and finally return a list of events where the difference is less than a particular value.

I know how to return a table of results based on a simple criteria and can perform datetime manipulations, I just cannot retrieve the actual datetime values needed to make the calculation.

*I can successfully store the whole object to a variable using the eval command but cannot extract the value from it.

Assumptions

The thing I am working with is indeed an Object. I.e. a dictionary style list in the following format

{"key1" : "value" , "key2" : "value" , "key2" : "value"}

I am attempting to extract the value using the eval command

Any help would be greatly appreciated.

Kind regards,

Ben

Re: Return Value from specific key within an Object

ITWhisperer — Thu, 11 Aug 2022 12:09:49 GMT

Use spath - by default spath works on _raw, but you can specify an input field e.g. the field holding your object.

If this isn't enough to go on, perhaps you can provide a bit more detail as to what you are dealing with, e.g. some sample events and which fields you have already extracted from them.

Re: Return Value from specific key within an Object

bmohammadi — Thu, 11 Aug 2022 14:59:19 GMT

Thank you very much ITWhisperer!

I was able to achieve what I wanted using the following syntax based on you recommendation:

| eval myVariable=spath(fieldName, "Key2")