https://community.splunk.com/t5/Splunk-Search/On-understanding-array-versus-multivalue-fields/m-p/628551#M218336 <P>Greetings. My Splunk instance parses messages which has a JSON array type:</P><P>&nbsp;</P><P>```</P><P>{ tags: ["info", "foo", "bar"] }</P><P>```</P><P>Let's say I want to search for events where precisely the second index of the tags field has the value "foo".</P><P>&nbsp;</P><OL><LI>Having consulted the Splunk docs, I found&nbsp;<A href="https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions" target="_self">Array and object expressions</A>&nbsp;. I tried using Array and object expressions, and all of my queries ended poorly</LI><LI>Eventually I was pointed to&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/MultivalueEvalFunctions" target="_self">MultivalueEvalFunctions</A>&nbsp;, which worked.</LI></OL><P>Using Multivalue fns&nbsp; left me with many questions:</P><OL><LI>Why is my JSON array parsed as a multivalue? Why is it not an array?</LI><LI>If I execute `typeof('tags')`, I get "Invalid". Why? Shouldn't it be Array or Multivalue?</LI><LI>If I execute `typeof('tags{}')`, I get "Multivalue". Why? What did that operator do, and why was it required?</LI></OL><P>More or less, as a polyglot programmer with a decade of experience, I found splunk operations on collections to be not just unintuitive, but counter intuitive.&nbsp; Beyond my explicit three question categories above, if compelled, let me know other best-known-practices around searching with array-ish fields <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 26 Jan 2023 21:54:33 GMT cdieringerwm 2023-01-26T21:54:33Z https://community.splunk.com/t5/Splunk-Search/On-understanding-array-versus-multivalue-fields/m-p/628551#M218336 <P>Greetings. My Splunk instance parses messages which has a JSON array type:</P><P>&nbsp;</P><P>```</P><P>{ tags: ["info", "foo", "bar"] }</P><P>```</P><P>Let's say I want to search for events where precisely the second index of the tags field has the value "foo".</P><P>&nbsp;</P><OL><LI>Having consulted the Splunk docs, I found&nbsp;<A href="https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions" target="_self">Array and object expressions</A>&nbsp;. I tried using Array and object expressions, and all of my queries ended poorly</LI><LI>Eventually I was pointed to&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/MultivalueEvalFunctions" target="_self">MultivalueEvalFunctions</A>&nbsp;, which worked.</LI></OL><P>Using Multivalue fns&nbsp; left me with many questions:</P><OL><LI>Why is my JSON array parsed as a multivalue? Why is it not an array?</LI><LI>If I execute `typeof('tags')`, I get "Invalid". Why? Shouldn't it be Array or Multivalue?</LI><LI>If I execute `typeof('tags{}')`, I get "Multivalue". Why? What did that operator do, and why was it required?</LI></OL><P>More or less, as a polyglot programmer with a decade of experience, I found splunk operations on collections to be not just unintuitive, but counter intuitive.&nbsp; Beyond my explicit three question categories above, if compelled, let me know other best-known-practices around searching with array-ish fields <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 26 Jan 2023 21:54:33 GMT https://community.splunk.com/t5/Splunk-Search/On-understanding-array-versus-multivalue-fields/m-p/628551#M218336 cdieringerwm 2023-01-26T21:54:33Z https://community.splunk.com/t5/Splunk-Search/On-understanding-array-versus-multivalue-fields/m-p/628552#M218337 <P>The SCS docs describe SPL2, not the SPL which is used in Splunk Enterprise and Splunk Cloud. In SPL there are no arrays. There are only multivalued fields.</P><P>The {} in 'tags{}' is just a part of the name. It's not an operator.</P> Thu, 26 Jan 2023 23:12:10 GMT https://community.splunk.com/t5/Splunk-Search/On-understanding-array-versus-multivalue-fields/m-p/628552#M218337 PickleRick 2023-01-26T23:12:10Z