https://community.splunk.com/t5/Splunk-Search/How-to-exclude-or-select-events-based-on-value-from-key-value/m-p/630406#M219013 <P>I am rather confused. &nbsp;Your sample code shows exactly what you are asking. &nbsp;In other words, you already have the answer. &nbsp;What is missing? &nbsp;If your code is not returning what you expect, you will need to illustrate the results and explain any difference between what you expect and what you receive.</P><P>Side note: Based on your search term, Splunk already extracted from JSON. &nbsp;You don't need another spath. &nbsp;Also, if all operators between logical terms is AND, there is no need to bracket them. Additionally, in search command, default operator is AND, so you can also omit that keyword.</P> Fri, 10 Feb 2023 07:43:45 GMT yuanliu 2023-02-10T07:43:45Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-or-select-events-based-on-value-from-key-value/m-p/630343#M218989 <P>Hi All,</P> <P>Our&nbsp;<SPAN>JSON payload looks like as shown below. The msg.details array can have any number key/value pairs in any order.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ "appName": "TestApp", "eventType": "Response", "msg": { "transId": "Trans1234", "status": "Success", "client": "clientXyz", "responseTime": 1650, "details": [ { "keyName": "returnUrl", "keyValue": "https://abc.com/onlineshop?prod=112&amp;cat=1349" }, { "keyName": "customer", "keyValue": "xyz" } ], "url": "/v1/test" } }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I want to filter events using partial wildcard keyValue for a keyName in the array in the msg.details array. Your help is appreciated. Thanks.</P> <P><SPAN>index=* appName="TestApp" msg.url="/v1/test" |&nbsp; spath | search msg.details{}.keyName=returnUrl AND&nbsp;msg.details{}.keyValue!="*abc.com*"</SPAN></P> <P>The search may include multiple keyValue filters in the array like this. Thanks.</P> <P><SPAN>index=* appName="TestApp" msg.url="/v1/test" |&nbsp; spath | search&nbsp;(msg.details{}.keyName=customer AND&nbsp;msg.details{}.keyValue!="xyz") AND (msg.details{}.keyName=returnUrl AND&nbsp;msg.details{}.keyValue!="*abc.com*")</SPAN></P> Thu, 09 Feb 2023 18:59:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-or-select-events-based-on-value-from-key-value/m-p/630343#M218989 btsr 2023-02-09T18:59:22Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-or-select-events-based-on-value-from-key-value/m-p/630406#M219013 <P>I am rather confused. &nbsp;Your sample code shows exactly what you are asking. &nbsp;In other words, you already have the answer. &nbsp;What is missing? &nbsp;If your code is not returning what you expect, you will need to illustrate the results and explain any difference between what you expect and what you receive.</P><P>Side note: Based on your search term, Splunk already extracted from JSON. &nbsp;You don't need another spath. &nbsp;Also, if all operators between logical terms is AND, there is no need to bracket them. Additionally, in search command, default operator is AND, so you can also omit that keyword.</P> Fri, 10 Feb 2023 07:43:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-or-select-events-based-on-value-from-key-value/m-p/630406#M219013 yuanliu 2023-02-10T07:43:45Z