topic How to filter an array element based two fields? in Splunk Search

How to filter an array element based two fields?

jiangxue — Wed, 23 Apr 2014 23:14:41 GMT

I am trying to get all the event within the 'browsers' field there is an element with name=IE && data!=null

here is an example of the event. The order of those browsers can be anything. Some browser may have not data field.

1 How do I find those events that has this kind of element in 'browsers'
2 How do I extract the 'data' field of particular browser, like IE

browsers[

{ name: firefox
data:[
{
usage: 10
time: 200
}
]
},

{ name: IE
data:[
{
usage: 30
time: 400
},
{
usage: 20
time: 500
}
]
},

{ name: Chrome
},
….

]

Re: How to filter an array element based two fields?

MuS — Thu, 24 Apr 2014 08:42:23 GMT

Hi jiangxue,

try something like this run everywhere search:

index=_internal | head 1 | eval foo="browsers[ {  name: firefox
   data:[
   {
   usage: 10
   time: 200
   }
  ]
},

{  name: IE
   data:[
   {
   usage: 30
   time: 400
   },
   {
   usage: 20
   time: 500
   }
  ]
},

{  name: Chrome
},
….

]" 
| rex max_match=0 field=foo "name:\s(?<myBrowser>.+)\s" 
| rex max_match=0 field=foo "usage:\s(?<myUsage>.+)\s" 
| table myBrowser myUsage

the first part is only to setup the test field called foo, based on your example.

The two following regex's will get you two new fields called myBroswer and myUsage. Set this up as automatic field extraction and do your stats on it.

I also tried spath but did not get any useful output, so I used rex instead

hope this hepls to get you going ...

cheers, MuS

Re: How to filter an array element based two fields?

martin_mueller — Thu, 24 Apr 2014 11:41:25 GMT

You're not getting anything useful with spath because this is neither JSON nor XML.

Re: How to filter an array element based two fields?

MuS — Thu, 24 Apr 2014 12:08:00 GMT

thx @martin_mueller I knew that.
I wrote it because I was curious myself if the spath command can do some hidden magic and handle this almost JSON like output just the same 😉