https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675449#M231105 <P>Thanks for your reply.&nbsp; It returns multiple results because there's more than one tag in the array per event.&nbsp; "stats count by tags{}.name" returns 1 count for each tag.</P><LI-CODE lang="markup"> os_system_name: Microsoft Windows os_type: Workstation os_vendor: Microsoft os_version: 22H2 risk_score: 747.0674438476562 severe_vulnerabilities: 1 tags: [ [-] { [-] name: Asset_Workstation type: CUSTOM } { [-] name: Dept_Finance type: SITE } ] total_vulnerabilities: 1 </LI-CODE><P>&nbsp;Results:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">tags{}.name</TD><TD width="50%">count</TD></TR><TR><TD>Asset_Workstation</TD><TD>1</TD></TR><TR><TD width="50%">Dept_Finance</TD><TD width="50%">1</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck.&nbsp; I just stumbled on my answer but I appreciate your time looking at this.&nbsp; I knew it had to be a simple query but I wasn't initially able to put it together.&nbsp; Feel free to offer a better more efficient way to get the below results.</P><LI-CODE lang="markup">(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")</LI-CODE><P>&nbsp;Results:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">dept</TD><TD width="50%">count</TD></TR><TR><TD width="50%">Dept_Finance</TD><TD width="50%">1</TD></TR></TBODY></TABLE> Thu, 25 Jan 2024 20:45:07 GMT splguy 2024-01-25T20:45:07Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675440#M231101 <P>I have events with an array field named "tags".&nbsp; The tags array has 2 fields for each array object named "name" and "type".&nbsp; I reference this array as tags{}.name.&nbsp;</P><P>The values being returned for one event are:<BR />name, type<BR />Dept_Finance, Custom<BR />Asset_Workstation, Custom</P><P>My goal is to count the events by tags starting with "Dept_".</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(index="index_name") | dedup id | stats count by tags{}.name</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_".&nbsp; The Asset_Workstation tag is attached to this event however I don't want it to output in the query.&nbsp; How can I pull records with multiple tags but exclude all tags not beginning with "Dept_" from the output?</P><P>I know this is an easy thing to do but I'm still learning SPL.&nbsp; Thanks for your help.</P> Thu, 25 Jan 2024 19:12:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675440#M231101 splguy 2024-01-25T19:12:54Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675444#M231102 <BLOCKQUOTE><HR /><P>&nbsp;This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_".</P><HR /></BLOCKQUOTE><P>I don't understand this statement. &nbsp;Other than groupby field <FONT face="courier new,courier">tags{}.name</FONT> itself, &nbsp;<FONT face="courier new,courier">| stats count by tags{}.name</FONT> only gives one single output, that is count. &nbsp;How does it "include other tags", Dept_ or not?</P><P>You can help us by illustrating the results you want, and the results the search actually gives you. (Anonymize as needed.) &nbsp;Explain why the result is not what you expected.</P> Thu, 25 Jan 2024 20:06:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675444#M231102 yuanliu 2024-01-25T20:06:49Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675449#M231105 <P>Thanks for your reply.&nbsp; It returns multiple results because there's more than one tag in the array per event.&nbsp; "stats count by tags{}.name" returns 1 count for each tag.</P><LI-CODE lang="markup"> os_system_name: Microsoft Windows os_type: Workstation os_vendor: Microsoft os_version: 22H2 risk_score: 747.0674438476562 severe_vulnerabilities: 1 tags: [ [-] { [-] name: Asset_Workstation type: CUSTOM } { [-] name: Dept_Finance type: SITE } ] total_vulnerabilities: 1 </LI-CODE><P>&nbsp;Results:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">tags{}.name</TD><TD width="50%">count</TD></TR><TR><TD>Asset_Workstation</TD><TD>1</TD></TR><TR><TD width="50%">Dept_Finance</TD><TD width="50%">1</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck.&nbsp; I just stumbled on my answer but I appreciate your time looking at this.&nbsp; I knew it had to be a simple query but I wasn't initially able to put it together.&nbsp; Feel free to offer a better more efficient way to get the below results.</P><LI-CODE lang="markup">(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")</LI-CODE><P>&nbsp;Results:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">dept</TD><TD width="50%">count</TD></TR><TR><TD width="50%">Dept_Finance</TD><TD width="50%">1</TD></TR></TBODY></TABLE> Thu, 25 Jan 2024 20:45:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-values-returned-from-an-array-field/m-p/675449#M231105 splguy 2024-01-25T20:45:07Z