https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613557#M213243 <P>Hi&nbsp;</P> <P>Consider this event structure :</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">{"result" : {"dogs" : [{"name" : "dog-a", "food":["pizza", "burger"] }, {"name" : "dog-b", "food":["pasta"] }] }}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now want to filter the dogs by name and present them relevant food.</P> <P>When I try this search(with the relevant index):</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">result.dogs{}.name = dog_a| table result.dogs{}.food{}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I Am getting this result:</P> <P>pizza</P> <P>burger</P> <P>pasta&nbsp;</P> <P>&nbsp;</P> <P>I Am expecting to get only dog-a foods(pizza and burger)&nbsp;&nbsp;</P> Mon, 19 Sep 2022 15:39:15 GMT mottig 2022-09-19T15:39:15Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613557#M213243 <P>Hi&nbsp;</P> <P>Consider this event structure :</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">{"result" : {"dogs" : [{"name" : "dog-a", "food":["pizza", "burger"] }, {"name" : "dog-b", "food":["pasta"] }] }}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now want to filter the dogs by name and present them relevant food.</P> <P>When I try this search(with the relevant index):</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">result.dogs{}.name = dog_a| table result.dogs{}.food{}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I Am getting this result:</P> <P>pizza</P> <P>burger</P> <P>pasta&nbsp;</P> <P>&nbsp;</P> <P>I Am expecting to get only dog-a foods(pizza and burger)&nbsp;&nbsp;</P> Mon, 19 Sep 2022 15:39:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613557#M213243 mottig 2022-09-19T15:39:15Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613581#M213249 <P>The quick and dirty method going on the exact event format in your query is to run regex and create new lines per dog.</P><P>&nbsp;</P><LI-CODE lang="markup">| rex field=_raw "dogs\" : \[(?&lt;dogs_raw&gt;.+)\] " | eval new_dogs=split(replace(dogs_raw, "},{", "}##{"), "##") | mvexpand new_dogs | spath input=new_dogs | search name="dog-a" | table food{}</LI-CODE><P>&nbsp;</P><P>Lines 1&amp;2 extracts everything from "dogs" and splits them out into a multivalue field called new_dogs.<BR />Lines 3&amp;4 expands them out to one row per dog and extracts the fields.<BR /><BR />If this is a datasource you'll be using a lot and other users will be looking at it, it might be worth tweaking your input to split each dog into its own event which would make lines 1-4 redundant.&nbsp;</P> Mon, 19 Sep 2022 10:44:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613581#M213249 andrew_nelson 2022-09-19T10:44:55Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613587#M213252 <P>Hi thank you for your answer.</P><P>When I Am running the search I Am getting a warning that -&nbsp;&nbsp;<SPAN>Field 'new_dogs' does not exist in the data.</SPAN></P> Mon, 19 Sep 2022 11:22:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613587#M213252 mottig 2022-09-19T11:22:20Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613684#M213287 <P>You want to access structured result.dogs{}, instead of operating on result.dogs{}.name directly, because you want to apply&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand" target="_blank" rel="noopener">mvexpand</A>&nbsp;to the structure. &nbsp;Internal structure of JSON can be accessed with path option in <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath" target="_blank" rel="noopener">spath</A>. &nbsp;After mvexpand, you then extract inner fields using spath. (Yes, again.) &nbsp;Try this</P><P>&nbsp;</P><LI-CODE lang="markup">| spath path=result.dogs{} | mvexpand result.dogs{} | spath input=result.dogs{} | where name == "dog-a"</LI-CODE><P>&nbsp;</P><P>&nbsp;Output from your sample data is</P><TABLE><TBODY><TR><TD><DIV class="">food{}</DIV></TD><TD>name</TD><TD>result.dogs{}</TD></TR><TR><TD><DIV class="">pizza</DIV><DIV class="">burger</DIV></TD><TD>dog-a</TD><TD>{"name" : "dog-a", "food":["pizza", "burger"] }</TD></TR></TBODY></TABLE> Tue, 20 Sep 2022 05:19:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613684#M213287 yuanliu 2022-09-20T05:19:27Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613709#M213296 <P>Hi</P><P>Thank you for your answer.</P><P>It worked like a magic&nbsp;</P> Tue, 20 Sep 2022 06:56:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-search-by-value-from-a-json-list/m-p/613709#M213296 mottig 2022-09-20T06:56:41Z