How to extract a multivalued JSON Field based on ...

darshildave · ‎02-12-2019

Hello,
I want to extract a multivalued field in a nested JSON event

A:    [
         {    [-]
            file: x
            type:a    
         }    
         {    [-]
             file: y
             type:b
         }    
       ]

Here in the above JSON, i want to extract the field named 'file' if and only if the type = 'a' and not 'b'.
Inside props.conf, I specified a condition as mentioned :

EVAL-myfile= if('type'=="a",'file', "")

The problem here is, it will extract even the file where type='b' as they belong to the same event.
Is there a way in props.conf to correctly evaluate the file attribute in this nested JSON ?
Also I need to map this field for Splunk CIM data Model so I can not do this in the search query of dashboards.

woodcock · ‎02-12-2019

Like this (assuming that you are using INDEXED_EXTRACTIONS = json😞

EVAL-myfile = mvindex(file, mvfind(type, "a"))

darshildave · ‎02-14-2019

No we are not using INDEXED_EXTRACTIONS = json

woodcock · ‎02-14-2019

Then there are no indexed fields to use at index-time so it is impossible.

How to extract a multivalued JSON Field based on a certain condition inside an event in props.conf?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All