How to extract a multivalued JSON Field based on ...

darshildave · ‎02-12-2019

Hello,
I want to extract a multivalued field in a nested JSON event

A:    [
         {    [-]
            file: x
            type:a    
         }    
         {    [-]
             file: y
             type:b
         }    
       ]

Here in the above JSON, i want to extract the field named 'file' if and only if the type = 'a' and not 'b'.
Inside props.conf, I specified a condition as mentioned :

EVAL-myfile= if('type'=="a",'file', "")

The problem here is, it will extract even the file where type='b' as they belong to the same event.
Is there a way in props.conf to correctly evaluate the file attribute in this nested JSON ?
Also I need to map this field for Splunk CIM data Model so I can not do this in the search query of dashboards.

woodcock · ‎02-12-2019

Like this (assuming that you are using INDEXED_EXTRACTIONS = json😞

EVAL-myfile = mvindex(file, mvfind(type, "a"))

darshildave · ‎02-14-2019

No we are not using INDEXED_EXTRACTIONS = json

woodcock · ‎02-14-2019

Then there are no indexed fields to use at index-time so it is impossible.

How to extract a multivalued JSON Field based on a certain condition inside an event in props.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation