topic How to filter by if a field exist? in Splunk Search

How to filter by if a field exist?

YatMan — Tue, 13 Dec 2022 15:12:26 GMT

My sample events look like this , API logs

{ location: Southeast Asia, properties: { backendMethod: GET errors: [ {some huge nested object}, {some huge nested object} ] } }

I want to search only the events with the "errors" field. If the API is successful, it does not have this "errors" field, and I don't want to search them.

I have tried
{baseSearch} | where mvcount('properties.errors') > 0 , this return nothing
{baseSearch} | where mvcount("properties.errors") > 0 , returning even the events without the "errors" field
{baseSearch} | where isnotnull('properties.errors'), this return nothing
{baseSearch} | where isnotnull("properties.errors"),returning even the events without the "errors" field
{baseSearch} | "properties.errors"=*. , this return nothing

I just need something simple like {baseSearch} | where exist(properties.errors), what is the most simple way

Re: How to filter by if a field exist

yuanliu — Tue, 13 Dec 2022 10:20:27 GMT

Several possibilities. One is to find a common subnode in those huge nested objects. For example, if 'id' is common in the array, do

| where isnotnull('properties.errors{}.id')

Another could be to run a second spath on the error (which can be beneficial for further processing, anyway)

| spath path=properties.errors{} | where isnotnull('properties.errors{}')

(As always, remember to add {} to represent a JSON array.) Hope this helps.

Re: How to filter by if a field exist?

YatMan — Tue, 13 Dec 2022 23:32:33 GMT

This is working, thank you!