topic Re: Splunk query in Splunk Search

Splunk query

ash2 — Thu, 16 May 2024 03:21:29 GMT

Hi All, hope you are having a great day, I have a quick question. I have the data given as below, how do i extract just the first value if attribute newValue (in our Eg., its "None"), first value of newValue keeps changing so cannot be hard-coded.
```{}```

{
targetResources: [
     {
       displayName: null
       groupType: null
       id: f61b1166
       modifiedProperties: [
         {
           displayName: PasswordPolicies
           newValue: ["None"] // extract only this value
           oldValue: ["DisablePasswordExpiration"]
         }
         {
           displayName: Included Updated Properties
           newValue: "PasswordPolicies"
           oldValue: null
         }
         {
           displayName: TargetId.UserType
           newValue: "Member"
           oldValue: null
         }
       ]
}

Re: Splunk query

gcusello — Thu, 16 May 2024 05:17:55 GMT

Hi @ash2,

please try this:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue>[^\"]+)"

Ciao.

Giuseppe

Re: Splunk query

ash2 — Thu, 16 May 2024 05:29:06 GMT

Hi Giuseppe,

Thank you for the query, unfortunately its not working for me.

Re: Splunk query

gcusello — Thu, 16 May 2024 07:05:23 GMT

Hi @ash2,

max_match is an option of the rex command that says to the rex to take only the first extracted value, it isn't a field to display.

please try this (adding the new field (newValue2) to the table to see the difference:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue2>[^\"]+)"

Ciao.

Giuseppe

Re: Splunk query

PickleRick — Thu, 16 May 2024 08:02:10 GMT

I'm not sure what you mean but if you want the value of the newValue field from the first object in the modifiedProperties array, you can use spath to extract value from particular node of your json structure.

| spath targetResources[0].modifiedProperties[0].newValue[0]

(if I remember the path syntax correctly; writing from memory)

Re: Splunk query

ash2 — Sun, 19 May 2024 23:53:35 GMT

Hi Giuseppe,

Thank you for highlighting the mistake. I corrected the variable to newValue2 but unfortunately I found no luck with the query.

Re: Splunk query

ash2 — Mon, 20 May 2024 02:25:17 GMT

Thanks @PickleRick ,

the query line you posted is not supported, not if it was before. Splunk is erring out saying unknown value 0

Re: Splunk query

ash2 — Tue, 21 May 2024 00:24:46 GMT

I found the solution.

| eval firstNewValue = mvindex(newValue,0)

Re: Splunk query

gcusello — Tue, 21 May 2024 05:25:34 GMT

Hi @ash2 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉